JS: pdfka-gen [Expl]" Bedrohung gefunden über Avast

TomFinn · 18.03.2013, 17:20

Moin Community,

es wäre wunderbar wenn mir Jemand bei meinem Problem mit einem Trojaner helfen könnte.
Ich bin leider keine PC Leuchte und beim googeln hier auf dieses Board gestossen und hab auch bereits 2 Berichte zu diesem Trojaner gelesen. Allerdings gibt es wohl kein Patentrezept und es wird geraten ein eigenes Thema zu erstellen, welches Ihr nun seht.

Vorinfos: Kasperskygültigkeit ist ausgelaufen daher hab ich heute Avast runtergeladen und dann natürlich gleich gescannt, mit folgender 1 (hohen) Bedrohung:
JS: pdfka-gen [Expl]" in
C:\Users\***\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3HJ7DPF5\4706[1].pdf wurde dann von mir in Container verschoben.

Da meistens empfohlen wurde per Malwarebytes Anti-Malware (Test) 1.70.0.1100 zu scannen
hab ich hier den quick scan schon laufen lassen...

Malwarebytes Anti-Malware (Test) 1.70.0.1100
www.malwarebytes.org

Datenbank Version: v2013.03.18.09

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
xxx :: xxx [Administrator]

Schutz: Aktiviert

18.03.2013 16:29:52
mbam-log-2013-03-18 (16-29-52).txt

Art des Suchlaufs: Quick-Scan
Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM
Deaktivierte Suchlaufeinstellungen: P2P
Durchsuchte Objekte: 214997
Laufzeit: 3 Minute(n), 15 Sekunde(n)

Infizierte Speicherprozesse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung: 0
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateien: 0
(Keine bösartigen Objekte gefunden)

(Ende)

Bitte um Hilfe

Vielen Dank vorab
TomFinn

aharonov · 18.03.2013, 17:50

Hallo TomFinn und

Mein Name ist Leo und ich werde dich durch die Bereinigung deines Rechners begleiten.

Eine Bereinigung beinhaltet nebst dem Entfernen von Malware auch das Schliessen von Sicherheitslücken und sollte gründlich durchgeführt werden. Sie erfolgt deshalb in mehreren Schritten und bedeutet einigen Aufwand für dich.
Beachte: Das Verschwinden der offensichtlichen Symptome bedeutet nicht, dass das System schon sauber ist.
Arbeite daher in deinem eigenen Interesse solange mit, bis du das OK bekommst, dass alles erledigt ist.

Hinweise zum Ablauf

Du bekommst von mir jeweils eine individuell auf dich abgestimmte schrittweise Anleitung.
- Lese diese Anweisungen immer zuerst vollständig durch und frag bei Unklarheiten nach, bevor du beginnst.
- Arbeite die Anleitungen dann sorgfältig und in der angegebenen Reihenfolge ab und poste deine Rückmeldungen und Logfiles gesammelt in einer Antwort.
- Füge den Inhalt der Logfiles wenn immer möglich innerhalb von Code-Tags in deine Antwort ein.
- Sollten Probleme auftauchen, dann brich an dieser Stelle ab und schildere sie so gut wie möglich.

Es ist wichtig für mich, dass sich der Zustand deines Systems nicht plötzlich unvorhersehbar ändert. Deshalb: Bitte
- .. lasse keine Scanner oder Tools ohne Aufforderung laufen. Lösche nichts auf eigene Faust.
- .. installiere oder deinstalliere während der Bereinigung keine Software.
- .. frag nicht parallel in anderen Foren nach Hilfe (Crossposting).

Ich kann dir keine Garantien geben, dass die Bereinigung schlussendlich erfolgreich sein wird und wir alles finden werden.
- Ein Formatieren und Neuinstallieren ist meist der schnellere und immer der sicherere Weg.
- Sollte ich eine schwerwiegende Infektion bei dir finden, werde ich dich nochmals darauf hinweisen. Es bleibt aber deine Entscheidung.

Los geht's: Alle Tools immer auf den Desktop speichern und von dort starten.

Zitat:

JS: pdfka-gen [Expl]

Das bedeutet erst, dass du beim Surfen bei einem infizierten PDF-File vorbeigekommen bist, welches dir Malware unterschieben will.
Man sieht aber noch nicht, ob das auch geklappt hat oder nicht.
Schauen wir mal hin:

Schritt 1

Downloade dir bitte defogger (von jpshortstuff) auf deinen Desktop.

Starte das Tool mit Doppelklick.
Klicke nun auf den Disable Button.
Bestätige diese Sicherheitsabfrage mit Ja.
Wenn der Scan beendet wurde (Finished), klicke auf OK.
Falls Defogger zu einem Neustart auffordert, bestätige dies mit OK.
Defogger erstellt auf dem Desktop eine Logdatei mit dem Namen defogger_disable.txt.
Nur falls Probleme aufgetreten sind, poste deren Inhalt mit deiner nächsten Antwort.

Klicke den Re-enable Button nicht ohne Anweisung!

Schritt 2

Lade dir Gmer herunter (auf den Button Download EXE drücken) und speichere das Programm auf den Desktop.

Deaktiviere alle Antivirenprogramme und Malware/Spyware Scanner.
Trenne alle bestehenden Verbindungen zu einem Netzwerk/Internet (WLAN nicht vergessen).
Schliesse bitte alle anderen Programme.
Starte gmer.exe (die Datei hat einen zufälligen Dateinamen).
Vista und Win7 User mit Rechtsklick "als Administrator starten".
Sollte sich ein Fenster mit folgender Warnung öffnen
WARNING !!!
GMER has found system modification, which might have been caused by ROOTKIT activity.
Do you want to fully scan your system ?
dann klicke unbedingt auf No.
Entferne rechts den Haken bei:
- IAT/EAT
- Show all
Setze rechts den Haken bei deiner Systempartition (normalerweise C:\).
Starte den Scan mit einem Klick auf Scan.
Mache gar nichts am Computer, während der Scan läuft!
Wenn der Scan fertig ist, klicke auf Save und speichere das Logfile unter Gmer.txt auf deinen Desktop.
Schliesse dann GMER und führe unmittelbar einen Neustart des Computers durch.
Füge bitte den Inhalt des Logfiles hier in deine Thread ein.

Antiviren-Programm und sonstige Scanner wieder einschalten, bevor du ins Netz gehst.

Schritt 3

Lade dir bitte OTL (von Oldtimer) herunter und speichere es auf deinen Desktop.

Doppelklick auf die OTL.exe.
Unter Extra Registry, wähle bitte Use SafeList.
Setze den Haken bei Scan all Users.
Klicke nun auf Run Scan.
Wenn der Scan beendet ist, werden 2 Logfiles (OTL.txt und Extras.txt) erstellt.
Poste den Inhalt dieser Logfiles hier in den Thread.

Bitte poste in deiner nächsten Antwort:

Log von Gmer
Logs von OTL

TomFinn · 18.03.2013, 18:40

Moin Leo,

vielen Dank für den support. Habe alles durchgelesen und wollte nach 1 (alles gut)
schritt 2 durchführen. dabei gab es gleich ein Problem beim Downloadversuch.

Fehlermeldung: Warning ! Gmer has found system modification caused by ROOTKIT activity.
Dann kommt nur ein Kästchen OK (hab ich noch nicht gedrückt)

laut Logfile vom Screen ist die vorletzte Zeile in rot

Disk\Device\Harddisk0\DR0 "und unter value steht" TDL4@MBR code has been found.

Was nun ? Hab ja Schritt 2 nur den Download versucht und sonst noch gar nichts.

Gruss TomFinn

aharonov · 18.03.2013, 18:48

Hi,

ich glaube, das was du meinst ist ein Screenshot des Programms, welcher auf dieser Website gezeigt wird..
Du musst untendran auf den Button Download EXE drücken, um das Programm herunterzuladen.

TomFinn · 18.03.2013, 22:06

Hi,

jupp da war ich etwas vorschnell mit dem Screen und hatte das auf mein Download bezogen.

Ok, hab schritt 2 mit Gmer (logfiles sind gespeichert) durchgeführt, allerdings gab es beim Runterfahren einen Absturz und beim Neustart muste dann aus dem abgesicherten Modus gestartet werden. 2. Problem war, das ich das heutige Download vom Programm Speedup vergessen hatte und dieses gleich einen eigenen Scan beim Neu starten durchgeführt hatte.

Jetzt meine Frage, ob es mit dieser Situation Sinnvoll ist mit Schritt 3 weiterzuverfahren, oder ob es nun schon genug Komplikationen gibt ? Würde auch gern dieses Speed up wieder runterschmeissen, anscheinend verlangsamt es meinen PC eher.

Gruss TomFinn.

aharonov · 18.03.2013, 22:10

Hi,

ja, schmeiss dieses Speed up runter und mach mit Schritt 3 weiter.

TomFinn · 18.03.2013, 23:02

hi,

so speed up ist de-installiert und die Logfiles kommen jetzt....

zuerst Gmer, dann OTL und dann Extra

Gruss TomFinn

GMER Logfile:

Code:

ATTFilter

GMER 2.1.19155 - hxxp://www.gmer.net
Rootkit scan 2013-03-18 21:29:17
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST1500DL rev.CC4A 1397,27GB
Running: 83n5yfzz.exe; Driver: C:\Users\xxx\AppData\Local\Temp\pgldqkow.sys


---- User code sections - GMER 2.1 ----

.text  C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe[3104] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter                         0000000076b287b1 5 bytes [33, C0, C2, 04, 00]
.text  C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe[3104] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                              0000000076b01465 2 bytes [B0, 76]
.text  C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe[3104] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                             0000000076b014bb 2 bytes [B0, 76]
.text  ...                                                                                                                                                    * 2
.text  C:\Program Files\AVAST Software\Avast\AvastUI.exe[6748] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112                                          0000000076b4a30a 1 byte [62]
.text  C:\Program Files\Windows Sidebar\sidebar.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                          0000000077b23ae0 5 bytes JMP 000000010016075c
.text  C:\Program Files\Windows Sidebar\sidebar.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                                            0000000077b27a90 5 bytes JMP 00000001001603a4
.text  C:\Program Files\Windows Sidebar\sidebar.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory                                               0000000077b51490 5 bytes JMP 0000000100160b14
.text  C:\Program Files\Windows Sidebar\sidebar.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory                                                   0000000077b514f0 5 bytes JMP 0000000100160ecc
.text  C:\Program Files\Windows Sidebar\sidebar.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                    0000000077b515d0 5 bytes JMP 000000010016163c
.text  C:\Program Files\Windows Sidebar\sidebar.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory                                                0000000077b51810 5 bytes JMP 0000000100161284
.text  C:\Program Files\Windows Sidebar\sidebar.exe[4828] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                    0000000077b52840 5 bytes JMP 00000001001619f4
.text  C:\Program Files\Windows Sidebar\sidebar.exe[4828] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189                                               000000007772eecd 1 byte [62]
.text  C:\Program Files\Windows Sidebar\sidebar.exe[4828] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity                                            000007feffdf6e00 5 bytes JMP 000007ff7fe11dac
.text  C:\Program Files\Windows Sidebar\sidebar.exe[4828] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA                                                000007feffdf6f2c 5 bytes JMP 000007ff7fe10ecc
.text  C:\Program Files\Windows Sidebar\sidebar.exe[4828] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW                                                000007feffdf7220 5 bytes JMP 000007ff7fe11284
.text  C:\Program Files\Windows Sidebar\sidebar.exe[4828] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A                                               000007feffdf739c 5 bytes JMP 000007ff7fe1163c
.text  C:\Program Files\Windows Sidebar\sidebar.exe[4828] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W                                               000007feffdf7538 5 bytes JMP 000007ff7fe119f4
.text  C:\Program Files\Windows Sidebar\sidebar.exe[4828] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA                                                      000007feffdf75e8 5 bytes JMP 000007ff7fe103a4
.text  C:\Program Files\Windows Sidebar\sidebar.exe[4828] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW                                                      000007feffdf790c 5 bytes JMP 000007ff7fe1075c
.text  C:\Program Files\Windows Sidebar\sidebar.exe[4828] C:\Windows\SYSTEM32\sechost.dll!DeleteService                                                       000007feffdf7ab4 5 bytes JMP 000007ff7fe10b14
.text  C:\Program Files (x86)\Google\Drive\googledrivesync.exe[6724] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory                                    0000000077cffaa0 5 bytes JMP 0000000100030600
.text  C:\Program Files (x86)\Google\Drive\googledrivesync.exe[6724] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory                                        0000000077cffb38 5 bytes JMP 0000000100030804
.text  C:\Program Files (x86)\Google\Drive\googledrivesync.exe[6724] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                         0000000077cffc90 5 bytes JMP 0000000100030c0c
.text  C:\Program Files (x86)\Google\Drive\googledrivesync.exe[6724] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                                     0000000077d00018 5 bytes JMP 0000000100030a08
.text  C:\Program Files (x86)\Google\Drive\googledrivesync.exe[6724] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                         0000000077d01900 5 bytes JMP 0000000100030e10
.text  C:\Program Files (x86)\Google\Drive\googledrivesync.exe[6724] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll                                                 0000000077d1c45a 5 bytes JMP 00000001000301f8
.text  C:\Program Files (x86)\Google\Drive\googledrivesync.exe[6724] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                               0000000077d21217 5 bytes JMP 00000001000303fc
.text  C:\Program Files (x86)\Google\Drive\googledrivesync.exe[6724] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112                                    0000000076b4a30a 1 byte [62]
.text  C:\Program Files (x86)\Google\Drive\googledrivesync.exe[6724] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                           0000000076f5ee09 5 bytes JMP 00000001002501f8
.text  C:\Program Files (x86)\Google\Drive\googledrivesync.exe[6724] C:\Windows\syswow64\USER32.dll!UnhookWinEvent                                            0000000076f63982 5 bytes JMP 00000001002503fc
.text  C:\Program Files (x86)\Google\Drive\googledrivesync.exe[6724] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                         0000000076f67603 5 bytes JMP 0000000100250804
.text  C:\Program Files (x86)\Google\Drive\googledrivesync.exe[6724] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                         0000000076f6835c 5 bytes JMP 0000000100250600
.text  C:\Program Files (x86)\Google\Drive\googledrivesync.exe[6724] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx                                       0000000076f7f52b 5 bytes JMP 0000000100250a08
.text  C:\Program Files (x86)\Google\Drive\googledrivesync.exe[6724] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity                                 0000000075bb5181 5 bytes JMP 0000000100261014
.text  C:\Program Files (x86)\Google\Drive\googledrivesync.exe[6724] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA                                     0000000075bb5254 5 bytes JMP 0000000100260804
.text  C:\Program Files (x86)\Google\Drive\googledrivesync.exe[6724] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW                                     0000000075bb53d5 5 bytes JMP 0000000100260a08
.text  C:\Program Files (x86)\Google\Drive\googledrivesync.exe[6724] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A                                    0000000075bb54c2 5 bytes JMP 0000000100260c0c
.text  C:\Program Files (x86)\Google\Drive\googledrivesync.exe[6724] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W                                    0000000075bb55e2 5 bytes JMP 0000000100260e10
.text  C:\Program Files (x86)\Google\Drive\googledrivesync.exe[6724] C:\Windows\SysWOW64\sechost.dll!CreateServiceA                                           0000000075bb567c 5 bytes JMP 00000001002601f8
.text  C:\Program Files (x86)\Google\Drive\googledrivesync.exe[6724] C:\Windows\SysWOW64\sechost.dll!CreateServiceW                                           0000000075bb589f 5 bytes JMP 00000001002603fc
.text  C:\Program Files (x86)\Google\Drive\googledrivesync.exe[6724] C:\Windows\SysWOW64\sechost.dll!DeleteService                                            0000000075bb5a22 5 bytes JMP 0000000100260600
.text  C:\Program Files (x86)\Google\Drive\googledrivesync.exe[6840] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory                                    0000000077cffaa0 5 bytes JMP 0000000100250600
.text  C:\Program Files (x86)\Google\Drive\googledrivesync.exe[6840] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory                                        0000000077cffb38 5 bytes JMP 0000000100250804
.text  C:\Program Files (x86)\Google\Drive\googledrivesync.exe[6840] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                         0000000077cffc90 5 bytes JMP 0000000100250c0c
.text  C:\Program Files (x86)\Google\Drive\googledrivesync.exe[6840] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                                     0000000077d00018 5 bytes JMP 0000000100250a08
.text  C:\Program Files (x86)\Google\Drive\googledrivesync.exe[6840] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                         0000000077d01900 5 bytes JMP 0000000100250e10
.text  C:\Program Files (x86)\Google\Drive\googledrivesync.exe[6840] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll                                                 0000000077d1c45a 5 bytes JMP 00000001002501f8
.text  C:\Program Files (x86)\Google\Drive\googledrivesync.exe[6840] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                               0000000077d21217 5 bytes JMP 00000001002503fc
.text  C:\Program Files (x86)\Google\Drive\googledrivesync.exe[6840] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112                                    0000000076b4a30a 1 byte [62]
.text  C:\Program Files (x86)\Google\Drive\googledrivesync.exe[6840] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                           0000000076f5ee09 5 bytes JMP 00000001002e01f8
.text  C:\Program Files (x86)\Google\Drive\googledrivesync.exe[6840] C:\Windows\syswow64\USER32.dll!UnhookWinEvent                                            0000000076f63982 5 bytes JMP 00000001002e03fc
.text  C:\Program Files (x86)\Google\Drive\googledrivesync.exe[6840] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                         0000000076f67603 5 bytes JMP 00000001002e0804
.text  C:\Program Files (x86)\Google\Drive\googledrivesync.exe[6840] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                         0000000076f6835c 5 bytes JMP 00000001002e0600
.text  C:\Program Files (x86)\Google\Drive\googledrivesync.exe[6840] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx                                       0000000076f7f52b 5 bytes JMP 00000001002e0a08
.text  C:\Program Files (x86)\Google\Drive\googledrivesync.exe[6840] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity                                 0000000075bb5181 5 bytes JMP 00000001002f1014
.text  C:\Program Files (x86)\Google\Drive\googledrivesync.exe[6840] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA                                     0000000075bb5254 5 bytes JMP 00000001002f0804
.text  C:\Program Files (x86)\Google\Drive\googledrivesync.exe[6840] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW                                     0000000075bb53d5 5 bytes JMP 00000001002f0a08
.text  C:\Program Files (x86)\Google\Drive\googledrivesync.exe[6840] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A                                    0000000075bb54c2 5 bytes JMP 00000001002f0c0c
.text  C:\Program Files (x86)\Google\Drive\googledrivesync.exe[6840] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W                                    0000000075bb55e2 5 bytes JMP 00000001002f0e10
.text  C:\Program Files (x86)\Google\Drive\googledrivesync.exe[6840] C:\Windows\SysWOW64\sechost.dll!CreateServiceA                                           0000000075bb567c 5 bytes JMP 00000001002f01f8
.text  C:\Program Files (x86)\Google\Drive\googledrivesync.exe[6840] C:\Windows\SysWOW64\sechost.dll!CreateServiceW                                           0000000075bb589f 5 bytes JMP 00000001002f03fc
.text  C:\Program Files (x86)\Google\Drive\googledrivesync.exe[6840] C:\Windows\SysWOW64\sechost.dll!DeleteService                                            0000000075bb5a22 5 bytes JMP 00000001002f0600
.text  C:\Program Files (x86)\Google\Drive\googledrivesync.exe[6840] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                  0000000076b01465 2 bytes [B0, 76]
.text  C:\Program Files (x86)\Google\Drive\googledrivesync.exe[6840] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                 0000000076b014bb 2 bytes [B0, 76]
.text  ...                                                                                                                                                    * 2
.text  C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\x64\klwtblfs.exe[5308] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity  000007feffdf6e00 5 bytes JMP 000007ff7fe11dac
.text  C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\x64\klwtblfs.exe[5308] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA      000007feffdf6f2c 5 bytes JMP 000007ff7fe10ecc
.text  C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\x64\klwtblfs.exe[5308] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW      000007feffdf7220 5 bytes JMP 000007ff7fe11284
.text  C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\x64\klwtblfs.exe[5308] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A     000007feffdf739c 5 bytes JMP 000007ff7fe1163c
.text  C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\x64\klwtblfs.exe[5308] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W     000007feffdf7538 5 bytes JMP 000007ff7fe119f4
.text  C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\x64\klwtblfs.exe[5308] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA            000007feffdf75e8 5 bytes JMP 000007ff7fe103a4
.text  C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\x64\klwtblfs.exe[5308] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW            000007feffdf790c 5 bytes JMP 000007ff7fe1075c
.text  C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\x64\klwtblfs.exe[5308] C:\Windows\SYSTEM32\sechost.dll!DeleteService             000007feffdf7ab4 5 bytes JMP 000007ff7fe10b14
.text  C:\orgaMAX\orgamaxmobil_service.exe[5816] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory                                                        0000000077cffaa0 5 bytes JMP 0000000100230600
.text  C:\orgaMAX\orgamaxmobil_service.exe[5816] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory                                                            0000000077cffb38 5 bytes JMP 0000000100230804
.text  C:\orgaMAX\orgamaxmobil_service.exe[5816] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                                             0000000077cffc90 5 bytes JMP 0000000100230c0c
.text  C:\orgaMAX\orgamaxmobil_service.exe[5816] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                                                         0000000077d00018 5 bytes JMP 0000000100230a08
.text  C:\orgaMAX\orgamaxmobil_service.exe[5816] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                                             0000000077d01900 5 bytes JMP 0000000100230e10
.text  C:\orgaMAX\orgamaxmobil_service.exe[5816] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll                                                                     0000000077d1c45a 5 bytes JMP 00000001002301f8
.text  C:\orgaMAX\orgamaxmobil_service.exe[5816] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                                                   0000000077d21217 5 bytes JMP 00000001002303fc
.text  C:\orgaMAX\orgamaxmobil_service.exe[5816] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112                                                        0000000076b4a30a 1 byte [62]
.text  C:\orgaMAX\orgamaxmobil_service.exe[5816] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                                               0000000076f5ee09 5 bytes JMP 00000001002401f8
.text  C:\orgaMAX\orgamaxmobil_service.exe[5816] C:\Windows\syswow64\USER32.dll!UnhookWinEvent                                                                0000000076f63982 5 bytes JMP 00000001002403fc
.text  C:\orgaMAX\orgamaxmobil_service.exe[5816] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                                             0000000076f67603 5 bytes JMP 0000000100240804
.text  C:\orgaMAX\orgamaxmobil_service.exe[5816] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                                             0000000076f6835c 5 bytes JMP 0000000100240600
.text  C:\orgaMAX\orgamaxmobil_service.exe[5816] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx                                                           0000000076f7f52b 5 bytes JMP 0000000100240a08
.text  C:\orgaMAX\orgamaxmobil_service.exe[5816] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity                                                     0000000075bb5181 5 bytes JMP 0000000100251014
.text  C:\orgaMAX\orgamaxmobil_service.exe[5816] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA                                                         0000000075bb5254 5 bytes JMP 0000000100250804
.text  C:\orgaMAX\orgamaxmobil_service.exe[5816] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW                                                         0000000075bb53d5 5 bytes JMP 0000000100250a08
.text  C:\orgaMAX\orgamaxmobil_service.exe[5816] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A                                                        0000000075bb54c2 5 bytes JMP 0000000100250c0c
.text  C:\orgaMAX\orgamaxmobil_service.exe[5816] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W                                                        0000000075bb55e2 5 bytes JMP 0000000100250e10
.text  C:\orgaMAX\orgamaxmobil_service.exe[5816] C:\Windows\SysWOW64\sechost.dll!CreateServiceA                                                               0000000075bb567c 5 bytes JMP 00000001002501f8
.text  C:\orgaMAX\orgamaxmobil_service.exe[5816] C:\Windows\SysWOW64\sechost.dll!CreateServiceW                                                               0000000075bb589f 5 bytes JMP 00000001002503fc
.text  C:\orgaMAX\orgamaxmobil_service.exe[5816] C:\Windows\SysWOW64\sechost.dll!DeleteService                                                                0000000075bb5a22 5 bytes JMP 0000000100250600
.text  C:\orgaMAX\orgamaxmobil_service.exe[5816] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69                                                      0000000076b01465 2 bytes [B0, 76]
.text  C:\orgaMAX\orgamaxmobil_service.exe[5816] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155                                                     0000000076b014bb 2 bytes [B0, 76]
.text  ...                                                                                                                                                    * 2
.text  C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[4580] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory                        0000000077cffaa0 5 bytes JMP 0000000100030600
.text  C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[4580] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory                            0000000077cffb38 5 bytes JMP 0000000100030804
.text  C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[4580] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                             0000000077cffc90 5 bytes JMP 0000000100030c0c
.text  C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[4580] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                         0000000077d00018 5 bytes JMP 0000000100030a08
.text  C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[4580] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                             0000000077d01900 5 bytes JMP 0000000100030e10
.text  C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[4580] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll                                     0000000077d1c45a 5 bytes JMP 00000001000301f8
.text  C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[4580] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                   0000000077d21217 5 bytes JMP 00000001000303fc
.text  C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[4580] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112                        0000000076b4a30a 1 byte [62]
.text  C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[4580] C:\Windows\syswow64\USER32.dll!SetWinEventHook                               0000000076f5ee09 5 bytes JMP 00000001000a01f8
.text  C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[4580] C:\Windows\syswow64\USER32.dll!UnhookWinEvent                                0000000076f63982 5 bytes JMP 00000001000a03fc
.text  C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[4580] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                             0000000076f67603 5 bytes JMP 00000001000a0804
.text  C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[4580] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                             0000000076f6835c 5 bytes JMP 00000001000a0600
.text  C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[4580] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx                           0000000076f7f52b 5 bytes JMP 00000001000a0a08
.text  C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[4580] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity                     0000000075bb5181 5 bytes JMP 00000001000b1014
.text  C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[4580] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA                         0000000075bb5254 5 bytes JMP 00000001000b0804
.text  C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[4580] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW                         0000000075bb53d5 5 bytes JMP 00000001000b0a08
.text  C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[4580] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A                        0000000075bb54c2 5 bytes JMP 00000001000b0c0c
.text  C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[4580] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W                        0000000075bb55e2 5 bytes JMP 00000001000b0e10
.text  C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[4580] C:\Windows\SysWOW64\sechost.dll!CreateServiceA                               0000000075bb567c 5 bytes JMP 00000001000b01f8
.text  C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[4580] C:\Windows\SysWOW64\sechost.dll!CreateServiceW                               0000000075bb589f 5 bytes JMP 00000001000b03fc
.text  C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[4580] C:\Windows\SysWOW64\sechost.dll!DeleteService                                0000000075bb5a22 5 bytes JMP 00000001000b0600
.text  C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[11132] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory                         0000000077cffaa0 5 bytes JMP 0000000100030600
.text  C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[11132] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory                             0000000077cffb38 5 bytes JMP 0000000100030804
.text  C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[11132] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                              0000000077cffc90 5 bytes JMP 0000000100030c0c
.text  C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[11132] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                          0000000077d00018 5 bytes JMP 0000000100030a08
.text  C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[11132] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                              0000000077d01900 5 bytes JMP 0000000100030e10
.text  C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[11132] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll                                      0000000077d1c45a 5 bytes JMP 00000001000301f8
.text  C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[11132] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                    0000000077d21217 5 bytes JMP 00000001000303fc
.text  C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[11132] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112                         0000000076b4a30a 1 byte [62]
.text  C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[11132] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                0000000076f5ee09 5 bytes JMP 00000001001201f8
.text  C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[11132] C:\Windows\syswow64\USER32.dll!UnhookWinEvent                                 0000000076f63982 5 bytes JMP 00000001001203fc
.text  C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[11132] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                              0000000076f67603 5 bytes JMP 0000000100120804
.text  C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[11132] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                              0000000076f6835c 5 bytes JMP 0000000100120600
.text  C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[11132] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx                            0000000076f7f52b 5 bytes JMP 0000000100120a08
.text  C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[8860] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory                              0000000077cffaa0 5 bytes JMP 0000000100030600
.text  C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[8860] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory                                  0000000077cffb38 5 bytes JMP 0000000100030804
.text  C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[8860] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess                                   0000000077cffc90 5 bytes JMP 0000000100030c0c
.text  C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[8860] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory                               0000000077d00018 5 bytes JMP 0000000100030a08
.text  C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[8860] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread                                   0000000077d01900 5 bytes JMP 0000000100030e10
.text  C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[8860] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll                                           0000000077d1c45a 5 bytes JMP 00000001000301f8
.text  C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[8860] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll                                         0000000077d21217 5 bytes JMP 00000001000303fc
.text  C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[8860] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112                              0000000076b4a30a 1 byte [62]
.text  C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[8860] C:\Windows\syswow64\USER32.dll!SetWinEventHook                                     0000000076f5ee09 5 bytes JMP 00000001001801f8
.text  C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[8860] C:\Windows\syswow64\USER32.dll!UnhookWinEvent                                      0000000076f63982 5 bytes JMP 00000001001803fc
.text  C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[8860] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW                                   0000000076f67603 5 bytes JMP 0000000100180804
.text  C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[8860] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA                                   0000000076f6835c 5 bytes JMP 0000000100180600
.text  C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[8860] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx                                 0000000076f7f52b 5 bytes JMP 0000000100180a08
.text  C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[8860] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity                           0000000075bb5181 5 bytes JMP 0000000100191014
.text  C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[8860] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA                               0000000075bb5254 5 bytes JMP 0000000100190804
.text  C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[8860] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW                               0000000075bb53d5 5 bytes JMP 0000000100190a08
.text  C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[8860] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A                              0000000075bb54c2 5 bytes JMP 0000000100190c0c
.text  C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[8860] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W                              0000000075bb55e2 5 bytes JMP 0000000100190e10
.text  C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[8860] C:\Windows\SysWOW64\sechost.dll!CreateServiceA                                     0000000075bb567c 5 bytes JMP 00000001001901f8
.text  C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[8860] C:\Windows\SysWOW64\sechost.dll!CreateServiceW                                     0000000075bb589f 5 bytes JMP 00000001001903fc
.text  C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[8860] C:\Windows\SysWOW64\sechost.dll!DeleteService                                      0000000075bb5a22 5 bytes JMP 0000000100190600
.text  C:\Windows\system32\taskeng.exe[8856] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll                                                                       0000000077b23ae0 5 bytes JMP 00000001001a075c
.text  C:\Windows\system32\taskeng.exe[8856] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll                                                                         0000000077b27a90 5 bytes JMP 00000001001a03a4
.text  C:\Windows\system32\taskeng.exe[8856] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory                                                            0000000077b51490 5 bytes JMP 00000001001a0b14
.text  C:\Windows\system32\taskeng.exe[8856] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory                                                                0000000077b514f0 5 bytes JMP 00000001001a0ecc
.text  C:\Windows\system32\taskeng.exe[8856] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess                                                                 0000000077b515d0 5 bytes JMP 00000001001a163c
.text  C:\Windows\system32\taskeng.exe[8856] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory                                                             0000000077b51810 5 bytes JMP 00000001001a1284
.text  C:\Windows\system32\taskeng.exe[8856] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread                                                                 0000000077b52840 5 bytes JMP 00000001001a19f4
.text  C:\Windows\system32\taskeng.exe[8856] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity                                                         000007feffdf6e00 5 bytes JMP 000007ff7fe11dac
.text  C:\Windows\system32\taskeng.exe[8856] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA                                                             000007feffdf6f2c 5 bytes JMP 000007ff7fe10ecc
.text  C:\Windows\system32\taskeng.exe[8856] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW                                                             000007feffdf7220 5 bytes JMP 000007ff7fe11284
.text  C:\Windows\system32\taskeng.exe[8856] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A                                                            000007feffdf739c 5 bytes JMP 000007ff7fe1163c
.text  C:\Windows\system32\taskeng.exe[8856] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W                                                            000007feffdf7538 5 bytes JMP 000007ff7fe119f4
.text  C:\Windows\system32\taskeng.exe[8856] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA                                                                   000007feffdf75e8 5 bytes JMP 000007ff7fe103a4
.text  C:\Windows\system32\taskeng.exe[8856] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW                                                                   000007feffdf790c 5 bytes JMP 000007ff7fe1075c
.text  C:\Windows\system32\taskeng.exe[8856] C:\Windows\SYSTEM32\sechost.dll!DeleteService                                                                    000007feffdf7ab4 5 bytes JMP 000007ff7fe10b14
.text  C:\Windows\system32\AUDIODG.EXE[12032] C:\Windows\System32\kernel32.dll!GetBinaryTypeW + 189                                                           000000007772eecd 1 byte [62]
.text  C:\Users\xxx\Desktop\83n5yfzz.exe[8764] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112                                                     0000000076b4a30a 1 byte [62]

---- Registry - GMER 2.1 ----

Reg    HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Type                                                                                                   2
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Start                                                                                                  2
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@ErrorControl                                                                                           1
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DisplayName                                                                                            aswFsBlk
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Group                                                                                                  FSFilter Activity Monitor
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DependOnService                                                                                        FltMgr?
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Description                                                                                            avast! mini-filter driver (aswFsBlk)
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Tag                                                                                                    3
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances                                                                                              
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances@DefaultInstance                                                                              aswFsBlk Instance
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance                                                                            
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude                                                                   388400
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Flags                                                                      0
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk                                                                                                        
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Type                                                                                                  2
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Start                                                                                                 2
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ErrorControl                                                                                          1
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ImagePath                                                                                             \??\C:\Windows\system32\drivers\aswMonFlt.sys
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DisplayName                                                                                           aswMonFlt
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Group                                                                                                 FSFilter Anti-Virus
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DependOnService                                                                                       FltMgr?
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Description                                                                                           avast! mini-filter driver (aswMonFlt)
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances                                                                                             
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances@DefaultInstance                                                                             aswMonFlt Instance
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance                                                                          
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude                                                                 320700
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Flags                                                                    0
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt                                                                                                       
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ImagePath                                                                                                \SystemRoot\System32\Drivers\aswrdr2.sys
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Type                                                                                                     1
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Start                                                                                                    1
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ErrorControl                                                                                             1
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DisplayName                                                                                              aswRdr
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Group                                                                                                    PNP_TDI
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DependOnService                                                                                          tcpip?
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Description                                                                                              avast! WFP Redirect driver
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters                                                                                               
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@MSIgnoreLSPDefault                                                                            
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@WSIgnoreLSPDefault                                                                            nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswRdr                                                                                                          
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Type                                                                                                    1
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Start                                                                                                   0
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@ErrorControl                                                                                            1
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@DisplayName                                                                                             aswRvrt
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Description                                                                                             avast! Revert
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswRvrt                                                                                                         
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Type                                                                                                     2
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Start                                                                                                    1
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswSnx@ErrorControl                                                                                             1
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DisplayName                                                                                              aswSnx
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Group                                                                                                    FSFilter Virtualization
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DependOnService                                                                                          FltMgr?
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Description                                                                                              avast! virtualization driver (aswSnx)
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Tag                                                                                                      2
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances                                                                                                
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances@DefaultInstance                                                                                aswSnx Instance
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance                                                                                
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Altitude                                                                       137600
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Flags                                                                          0
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters                                                                                               
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@ProgramFolder                                                                                 \DosDevices\C:\Program Files\AVAST Software\Avast
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@DataFolder                                                                                    \DosDevices\C:\ProgramData\AVAST Software\Avast
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswSnx                                                                                                          
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswSP@Type                                                                                                      1
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswSP@Start                                                                                                     1
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswSP@ErrorControl                                                                                              1
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswSP@DisplayName                                                                                               aswSP
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswSP@Description                                                                                               avast! Self Protection
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters                                                                                                
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@BehavShield                                                                                    1
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFolder                                                                                  \DosDevices\C:\Program Files\AVAST Software\Avast
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@DataFolder                                                                                     \DosDevices\C:\ProgramData\AVAST Software\Avast
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFilesFolder                                                                             \DosDevices\C:\Program Files
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@GadgetFolder                                                                                   \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswSP                                                                                                           
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Type                                                                                                     1
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Start                                                                                                    1
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswTdi@ErrorControl                                                                                             1
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DisplayName                                                                                              avast! Network Shield Support
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Group                                                                                                    PNP_TDI
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DependOnService                                                                                          tcpip?
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Description                                                                                              avast! Network Shield TDI driver
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Tag                                                                                                      10
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswTdi                                                                                                          
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Type                                                                                                     1
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Start                                                                                                    3
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswVmm@ErrorControl                                                                                             1
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswVmm@DisplayName                                                                                              aswVmm
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Description                                                                                              avast! VM Monitor
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswVmm\Parameters                                                                                               
Reg    HKLM\SYSTEM\CurrentControlSet\services\aswVmm                                                                                                          
Reg    HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Type                                                                                           32
Reg    HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Start                                                                                          2
Reg    HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ErrorControl                                                                                   1
Reg    HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ImagePath                                                                                      "C:\Program Files\AVAST Software\Avast\AvastSvc.exe"
Reg    HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DisplayName                                                                                    avast! Antivirus
Reg    HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Group                                                                                          ShellSvcGroup
Reg    HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DependOnService                                                                                aswMonFlt?RpcSS?
Reg    HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@WOW64                                                                                          1
Reg    HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ObjectName                                                                                     LocalSystem
Reg    HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ServiceSidType                                                                                 1
Reg    HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Description                                                                                    Verwaltet und implementiert avast! Antivirus-Dienste f?r diesen Computer. Dies beinhaltet den Echtzeit-Schutz, den Virus-Container und den Planer.
Reg    HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus                                                                                                

---- Disk sectors - GMER 2.1 ----

Disk   \Device\Harddisk0\DR0                                                                                                                                  unknown MBR code

---- EOF - GMER 2.1 ----

--- --- ---

TomFinn · 18.03.2013, 23:07

OTL Logfile:

Code:

ATTFilter

OTL logfile created on: 18.03.2013 22:31:08 - Run 1
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Users\xxx\Desktop
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
3,98 Gb Total Physical Memory | 1,97 Gb Available Physical Memory | 49,43% Memory free
7,96 Gb Paging File | 5,35 Gb Available in Paging File | 67,19% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 1346,17 Gb Total Space | 1287,11 Gb Free Space | 95,61% Space Free | Partition Type: NTFS
Drive D: | 50,00 Gb Total Space | 30,31 Gb Free Space | 60,63% Space Free | Partition Type: NTFS
 
Computer Name: xxx| User Name: xxx | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - C:\Users\xxx\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_6_602_180_ActiveX.exe (Adobe Systems Incorporated)
PRC - C:\Program Files\AVAST Software\Avast\AvastUI.exe (AVAST Software)
PRC - C:\Program Files\AVAST Software\Avast\AvastSvc.exe (AVAST Software)
PRC - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe (Google Inc.)
PRC - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
PRC - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
PRC - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe (Malwarebytes Corporation)
PRC - C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe ()
PRC - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\avp.exe (Kaspersky Lab ZAO)
PRC - C:\orgaMAX\orgamaxmobil_service.exe (deltra Business Software GmbH & Co. KG)
PRC - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
PRC - C:\Program Files (x86)\CyberLink\PowerRecover\Reminder.exe (CyberLink)
PRC - C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe (Intel Corporation)
PRC - C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe (Intel Corporation)
PRC - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe (Intel Corporation)
PRC - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe (Intel Corporation)
PRC - C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe (CyberLink)
 
 
========== Modules (No Company Name) ==========
 
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web\5ecf01964c70e453d71e5d7653912ff9\System.Web.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\cb562e2e4f74ae607f1186f6ec50cec7\System.Windows.Forms.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\IAStorUtil\346a7a67978cead8e2ff52c6d80bbeb7\IAStorUtil.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\IAStorCommon\500a8ae2a5d27132d87ccac9f97b0069\IAStorCommon.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\90b89f6e8032310e9ac72a309fd49e83\System.Runtime.Remoting.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\eead6629e384a5b69f9ae35284b7eeed\System.Drawing.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\cf827fe7bc99d9bcf0ba3621054ef527\WindowsBase.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\f687c43e9fdec031988b33ae722c4613\System.Xml.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System\369f8bdca364e2b4936d18dea582912c\System.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\195a77fcc6206f8bb35d419ff2cf0d72\System.Configuration.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\7150b9136fad5b79e88f6c7f9d3d2c39\mscorlib.ni.dll ()
MOD - C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe ()
MOD - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\QtGui4.dll ()
MOD - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\QtSql4.dll ()
MOD - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\QtScript4.dll ()
MOD - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\QtNetwork4.dll ()
MOD - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\QtCore4.dll ()
MOD - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\QtDeclarative4.dll ()
MOD - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\imageformats\qgif4.dll ()
MOD - C:\Windows\assembly\GAC_MSIL\System.Runtime.Remoting.resources\2.0.0.0_de_b77a5c561934e089\System.Runtime.Remoting.resources.dll ()
MOD - C:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_de_b77a5c561934e089\mscorlib.resources.dll ()
MOD - C:\Program Files (x86)\CyberLink\Power2Go\CLMediaLibrary.dll ()
MOD - C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvcPS.dll ()
 
 
========== Services (SafeList) ==========
 
SRV:64bit: - (avast! Antivirus) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe (AVAST Software)
SRV:64bit: - (AMD External Events Utility) -- C:\Windows\SysNative\atiesrxx.exe (AMD)
SRV:64bit: - (wlcrasvc) -- C:\Program Files\Windows Live\Mesh\wlcrasvc.exe (Microsoft Corporation)
SRV:64bit: - (WinDefend) -- C:\Program Files\Windows Defender\mpsvc.dll (Microsoft Corporation)
SRV - (AdobeFlashPlayerUpdateSvc) -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated)
SRV - (MBAMService) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
SRV - (MBAMScheduler) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe (Malwarebytes Corporation)
SRV - (AVP) -- C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\avp.exe (Kaspersky Lab ZAO)
SRV - (orgaMAXMobileService) -- C:\orgaMAX\orgamaxmobil_service.exe (deltra Business Software GmbH & Co. KG)
SRV - (AdobeARMservice) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
SRV - (watchmi) -- C:\Program Files (x86)\watchmi\TvdService.exe ()
SRV - (MemeoBackgroundService) -- C:\Program Files (x86)\Memeo\AutoBackup\MemeoBackgroundService.exe (Memeo)
SRV - (IAStorDataMgrSvc) -- C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe (Intel Corporation)
SRV - (UNS) -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe (Intel Corporation)
SRV - (LMS) -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe (Intel Corporation)
SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation)
SRV - (clr_optimization_v2.0.50727_32) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
 
 
========== Driver Services (SafeList) ==========
 
DRV:64bit: - (aswSnx) -- C:\Windows\SysNative\drivers\aswSnx.sys (AVAST Software)
DRV:64bit: - (aswSP) -- C:\Windows\SysNative\drivers\aswSP.sys (AVAST Software)
DRV:64bit: - (aswVmm) -- C:\Windows\SysNative\drivers\aswVmm.sys ()
DRV:64bit: - (aswRdr) -- C:\Windows\SysNative\drivers\aswRdr2.sys (AVAST Software)
DRV:64bit: - (aswTdi) -- C:\Windows\SysNative\drivers\aswTdi.sys (AVAST Software)
DRV:64bit: - (aswRvrt) -- C:\Windows\SysNative\drivers\aswRvrt.sys ()
DRV:64bit: - (aswMonFlt) -- C:\Windows\SysNative\drivers\aswMonFlt.sys (AVAST Software)
DRV:64bit: - (aswFsBlk) -- C:\Windows\SysNative\drivers\aswFsBlk.sys (AVAST Software)
DRV:64bit: - (MBAMProtector) -- C:\Windows\SysNative\drivers\mbam.sys (Malwarebytes Corporation)
DRV:64bit: - (KLIF) -- C:\Windows\SysNative\drivers\klif.sys (Kaspersky Lab)
DRV:64bit: - (Fs_Rec) -- C:\Windows\SysNative\drivers\fs_rec.sys (Microsoft Corporation)
DRV:64bit: - (AtiHDAudioService) -- C:\Windows\SysNative\drivers\AtihdW76.sys (Advanced Micro Devices)
DRV:64bit: - (amdkmdag) -- C:\Windows\SysNative\drivers\atikmdag.sys (ATI Technologies Inc.)
DRV:64bit: - (amdkmdap) -- C:\Windows\SysNative\drivers\atikmpag.sys (Advanced Micro Devices, Inc.)
DRV:64bit: - (asmtxhci) -- C:\Windows\SysNative\drivers\asmtxhci.sys (ASMedia Technology Inc)
DRV:64bit: - (asmthub3) -- C:\Windows\SysNative\drivers\asmthub3.sys (ASMedia Technology Inc)
DRV:64bit: - (RTL8167) -- C:\Windows\SysNative\drivers\Rt64win7.sys (Realtek                                            )
DRV:64bit: - (iaStor) -- C:\Windows\SysNative\drivers\iaStor.sys (Intel Corporation)
DRV:64bit: - (MEIx64) -- C:\Windows\SysNative\drivers\HECIx64.sys (Intel Corporation)
DRV:64bit: - (amdsata) -- C:\Windows\SysNative\drivers\amdsata.sys (Advanced Micro Devices)
DRV:64bit: - (amdxata) -- C:\Windows\SysNative\drivers\amdxata.sys (Advanced Micro Devices)
DRV:64bit: - (KLIM6) -- C:\Windows\SysNative\drivers\klim6.sys (Kaspersky Lab ZAO)
DRV:64bit: - (kl2) -- C:\Windows\SysNative\drivers\kl2.sys (Kaspersky Lab ZAO)
DRV:64bit: - (KL1) -- C:\Windows\SysNative\drivers\kl1.sys (Kaspersky Lab ZAO)
DRV:64bit: - (RTL8192su) -- C:\Windows\SysNative\drivers\RTL8192su.sys (Realtek Semiconductor Corporation                           )
DRV:64bit: - (TsUsbFlt) -- C:\Windows\SysNative\drivers\TsUsbFlt.sys (Microsoft Corporation)
DRV:64bit: - (HpSAMD) -- C:\Windows\SysNative\drivers\HpSAMD.sys (Hewlett-Packard Company)
DRV:64bit: - (TsUsbGD) -- C:\Windows\SysNative\drivers\TsUsbGD.sys (Microsoft Corporation)
DRV:64bit: - (wsvd) -- C:\Windows\SysNative\drivers\wsvd.sys (CyberLink)
DRV:64bit: - (klmouflt) -- C:\Windows\SysNative\drivers\klmouflt.sys (Kaspersky Lab)
DRV:64bit: - (amdsbs) -- C:\Windows\SysNative\drivers\amdsbs.sys (AMD Technologies Inc.)
DRV:64bit: - (LSI_SAS2) -- C:\Windows\SysNative\drivers\lsi_sas2.sys (LSI Corporation)
DRV:64bit: - (stexstor) -- C:\Windows\SysNative\drivers\stexstor.sys (Promise Technology)
DRV:64bit: - (igfx) -- C:\Windows\SysNative\drivers\igdkmd64.sys (Intel Corporation)
DRV:64bit: - (ebdrv) -- C:\Windows\SysNative\drivers\evbda.sys (Broadcom Corporation)
DRV:64bit: - (b06bdrv) -- C:\Windows\SysNative\drivers\bxvbda.sys (Broadcom Corporation)
DRV:64bit: - (b57nd60a) -- C:\Windows\SysNative\drivers\b57nd60a.sys (Broadcom Corporation)
DRV:64bit: - (hcw85cir) -- C:\Windows\SysNative\drivers\hcw85cir.sys (Hauppauge Computer Works, Inc.)
DRV - (WIMMount) -- C:\Windows\SysWOW64\drivers\wimmount.sys (Microsoft Corporation)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE:64bit: - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
 
 
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
 
 
IE - HKU\S-1-5-21-3885901794-1574605852-3563904086-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = iGoogle
IE - HKU\S-1-5-21-3885901794-1574605852-3563904086-1000\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-3885901794-1574605852-3563904086-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = iGoogle
IE - HKU\S-1-5-21-3885901794-1574605852-3563904086-1000\..\SearchScopes,DefaultScope = {F3E7F170-AEA9-44AE-9FB3-3F3E1DDD8067}
IE - HKU\S-1-5-21-3885901794-1574605852-3563904086-1000\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
IE - HKU\S-1-5-21-3885901794-1574605852-3563904086-1000\..\SearchScopes\{F3E7F170-AEA9-44AE-9FB3-3F3E1DDD8067}: "URL" = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7MDNF_deDE507
IE - HKU\S-1-5-21-3885901794-1574605852-3563904086-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
 
========== FireFox ==========
 
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3538.0513: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\linkfilter@kaspersky.ru: C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\FFExt\linkfilter@kaspersky.ru [2012.10.30 19:27:51 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\virtualKeyboard@kaspersky.ru: C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\FFExt\virtualKeyboard@kaspersky.ru [2012.10.30 19:27:51 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\KavAntiBanner@Kaspersky.ru: C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\FFExt\KavAntiBanner@Kaspersky.ru [2012.10.30 19:27:50 | 000,000,000 | ---D | M]
 
 
O1 HOSTS File: ([2009.06.10 22:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O2:64bit: - BHO: (avast! WebRep) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)
O2:64bit: - BHO: (IEVkbdBHO Class) - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\x64\ievkbd.dll (Kaspersky Lab ZAO)
O2:64bit: - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O2:64bit: - BHO: (FilterBHO Class) - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\x64\klwtbbho.dll (Kaspersky Lab ZAO)
O2 - BHO: (IEVkbdBHO Class) - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\ievkbd.dll (Kaspersky Lab ZAO)
O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O2 - BHO: (FilterBHO Class) - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\klwtbbho.dll (Kaspersky Lab ZAO)
O3:64bit: - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O3:64bit: - HKLM\..\Toolbar: (avast! WebRep) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)
O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O3:64bit: - HKU\S-1-5-21-3885901794-1574605852-3563904086-1000\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O4:64bit: - HKLM..\Run: [MedionReminder] C:\Program Files (x86)\CyberLink\PowerRecover\Reminder.exe (CyberLink)
O4:64bit: - HKLM..\Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [AVP] C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\avp.exe (Kaspersky Lab ZAO)
O4 - HKLM..\Run: [CLMLServer] C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe (CyberLink)
O4 - HKLM..\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe (Intel Corporation)
O4 - HKLM..\Run: [StartCCC] C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-3885901794-1574605852-3563904086-1000..\Run: [Pando Media Booster] C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe ()
O4:64bit: - HKLM..\RunOnce: [MedionReminder] C:\Program Files (x86)\CyberLink\PowerRecover\Reminder.exe (CyberLink)
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O8:64bit: - Extra context menu item: Hinzufügen zu Anti-Banner - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\ie_banner_deny.htm ()
O8 - Extra context menu item: Hinzufügen zu Anti-Banner - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\ie_banner_deny.htm ()
O9:64bit: - Extra Button: eBay - Der weltweite Online-Marktplatz - {0B65DCC9-1740-43dc-B19C-4F309FB6A6CA} - eBay - eine der größten deutschen Shopping-Websites File not found
O9:64bit: - Extra 'Tools' menuitem : eBay - {0B65DCC9-1740-43dc-B19C-4F309FB6A6CA} - eBay - eine der größten deutschen Shopping-Websites File not found
O9:64bit: - Extra Button: &Virtuelle Tastatur - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\x64\ievkbd.dll (Kaspersky Lab ZAO)
O9:64bit: - Extra Button: Li&nks untersuchen - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\x64\klwtbbho.dll (Kaspersky Lab ZAO)
O9 - Extra Button: eBay - Der weltweite Online-Marktplatz - {0B65DCC9-1740-43dc-B19C-4F309FB6A6CA} - eBay - eine der größten deutschen Shopping-Websites File not found
O9 - Extra 'Tools' menuitem : eBay - {0B65DCC9-1740-43dc-B19C-4F309FB6A6CA} - eBay - eine der größten deutschen Shopping-Websites File not found
O9 - Extra Button: &Virtuelle Tastatur - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\ievkbd.dll (Kaspersky Lab ZAO)
O9 - Extra Button: Li&nks untersuchen - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\klwtbbho.dll (Kaspersky Lab ZAO)
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {4B54A9DE-EF1C-4EBE-A328-7C28EA3B433A} hxxp://quickscan.bitdefender.com/qsax/qsax.cab (Bitdefender QuickScan Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{30924113-C70C-4A09-92FC-A1E12B183665}: DhcpNameServer = 192.168.1.1
O18:64bit: - Protocol\Handler\livecall - No CLSID value found
O18:64bit: - Protocol\Handler\msnim - No CLSID value found
O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found
O18:64bit: - Protocol\Handler\wlpg - No CLSID value found
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation)
O20:64bit: - Winlogon\Notify\klogon: DllName - (%SystemRoot%\System32\klogon.dll) - C:\Windows\SysNative\klogon.dll (Kaspersky Lab ZAO)
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)
 
========== Files/Folders - Created Within 30 Days ==========
 
[2013.03.18 22:28:34 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\xxx\Desktop\OTL.exe
[2013.03.18 16:28:39 | 000,000,000 | ---D | C] -- C:\Users\xxx\AppData\Roaming\Malwarebytes
[2013.03.18 16:28:36 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2013.03.18 16:28:35 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2013.03.18 16:28:34 | 000,024,176 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2013.03.18 16:28:34 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2013.03.18 16:28:09 | 000,000,000 | ---D | C] -- C:\Users\xxx\AppData\Local\Programs
[2013.03.18 16:20:42 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\orgaMAX Business Software
[2013.03.18 16:20:41 | 004,292,096 | ---- | C] (dimastr.com) -- C:\Windows\SysWow64\redemption.dll
[2013.03.18 16:20:39 | 000,297,472 | ---- | C] (Borland Software Corporation) -- C:\Windows\SysWow64\midas.dll
[2013.03.18 16:20:00 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\deltra Software GmbH
[2013.03.18 16:19:56 | 004,400,752 | ---- | C] (RAPWare) -- C:\Windows\SysNative\RwEasyMAPI64.exe
[2013.03.18 16:19:55 | 004,082,688 | ---- | C] (Borland Software Corporation) -- C:\Windows\SysWow64\qtintf70.dll
[2013.03.18 16:19:54 | 000,000,000 | ---D | C] -- C:\orgaMAX
[2013.03.18 12:38:26 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Drive
[2013.03.18 12:36:27 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\avast! Free Antivirus
[2013.03.18 12:36:26 | 000,377,920 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswSP.sys
[2013.03.18 12:36:26 | 000,033,400 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswFsBlk.sys
[2013.03.18 12:36:23 | 001,025,808 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswSnx.sys
[2013.03.18 12:36:23 | 000,287,840 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\aswBoot.exe
[2013.03.18 12:36:23 | 000,080,816 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswMonFlt.sys
[2013.03.18 12:36:23 | 000,070,992 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswRdr2.sys
[2013.03.18 12:36:23 | 000,068,920 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswTdi.sys
[2013.03.18 12:36:03 | 000,041,664 | ---- | C] (AVAST Software) -- C:\Windows\avastSS.scr
[2013.03.18 12:35:53 | 000,000,000 | ---D | C] -- C:\Program Files\AVAST Software
[2013.03.18 12:30:27 | 000,000,000 | ---D | C] -- C:\ProgramData\AVAST Software
[2013.03.18 12:22:10 | 000,000,000 | ---D | C] -- C:\Users\xxx\AppData\Roaming\QuickScan
[2013.03.14 02:49:41 | 000,248,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieui.dll
[2013.03.14 02:49:41 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieui.dll
[2013.03.14 02:49:41 | 000,173,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ieUnatt.exe
[2013.03.14 02:49:41 | 000,142,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ieUnatt.exe
[2013.03.14 02:49:41 | 000,096,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mshtmled.dll
[2013.03.14 02:49:41 | 000,073,216 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mshtmled.dll
[2013.03.14 02:49:40 | 001,494,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\inetcpl.cpl
[2013.03.14 02:49:40 | 001,427,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\inetcpl.cpl
[2013.03.14 02:49:40 | 000,237,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\url.dll
[2013.03.14 02:49:40 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\url.dll
[2013.03.14 02:49:39 | 002,312,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript9.dll
[2013.03.14 02:49:39 | 000,729,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msfeeds.dll
[2013.03.14 02:49:38 | 000,816,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript.dll
[2013.03.14 02:49:38 | 000,717,824 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\jscript.dll
[2013.03.14 02:49:38 | 000,599,040 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\vbscript.dll
[2013.03.07 18:37:55 | 000,000,000 | ---D | C] -- C:\Users\xxx\AppData\Local\{E0AC1B78-6D4C-4E45-BBAA-75D2A37B90F2}
[2013.03.06 22:07:51 | 000,000,000 | ---D | C] -- C:\Users\xxx\AppData\Local\{73E16C01-BA3A-42AF-B851-D17B044F7FAC}
[2013.03.06 14:19:56 | 000,000,000 | ---D | C] -- C:\Users\xxx\Documents\NavyField
[2013.03.06 12:12:24 | 000,000,000 | ---D | C] -- C:\Users\xxx\AppData\Roaming\TS3Client
[2013.03.06 12:12:15 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamSpeak 3 Client
[2013.03.06 12:12:14 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\TeamSpeak 3 Client
[2013.02.28 06:21:35 | 000,000,000 | ---D | C] -- C:\Users\xxx\AppData\Local\{2021B29B-F629-45C6-97B1-D986F6D22CC8}
[2013.02.28 03:00:37 | 002,284,544 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\msmpeg2vdec.dll
[2013.02.28 03:00:36 | 002,776,576 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msmpeg2vdec.dll
[2013.02.28 03:00:36 | 000,465,920 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\WMPhoto.dll
[2013.02.28 03:00:36 | 000,417,792 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\WMPhoto.dll
[2013.02.28 03:00:36 | 000,221,184 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\UIAnimation.dll
[2013.02.28 03:00:36 | 000,187,392 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\UIAnimation.dll
[2013.02.28 03:00:34 | 000,194,560 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d3d10_1.dll
[2013.02.28 03:00:34 | 000,010,752 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-downlevel-advapi32-l1-1-0.dll
[2013.02.28 03:00:34 | 000,010,752 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-downlevel-advapi32-l1-1-0.dll
[2013.02.28 03:00:34 | 000,009,728 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
[2013.02.28 03:00:34 | 000,009,728 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-downlevel-shlwapi-l1-1-0.dll
[2013.02.28 03:00:34 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-downlevel-advapi32-l2-1-0.dll
[2013.02.28 03:00:34 | 000,003,584 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-downlevel-advapi32-l2-1-0.dll
[2013.02.28 03:00:34 | 000,002,560 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-downlevel-normaliz-l1-1-0.dll
[2013.02.28 03:00:34 | 000,002,560 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-downlevel-normaliz-l1-1-0.dll
[2013.02.28 03:00:33 | 002,565,120 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d3d10warp.dll
[2013.02.28 03:00:33 | 000,522,752 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\XpsGdiConverter.dll
[2013.02.28 03:00:33 | 000,364,544 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\XpsGdiConverter.dll
[2013.02.28 03:00:33 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-downlevel-version-l1-1-0.dll
[2013.02.28 03:00:33 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-downlevel-version-l1-1-0.dll
[2013.02.28 03:00:33 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-downlevel-shell32-l1-1-0.dll
[2013.02.28 03:00:32 | 001,887,232 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d3d11.dll
[2013.02.28 03:00:32 | 001,682,432 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\XpsPrint.dll
[2013.02.28 03:00:32 | 001,504,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\d3d11.dll
[2013.02.28 03:00:32 | 001,238,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d3d10.dll
[2013.02.28 03:00:32 | 001,158,144 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\XpsPrint.dll
[2013.02.28 03:00:32 | 000,648,192 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d3d10level9.dll
[2013.02.28 03:00:32 | 000,363,008 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\dxgi.dll
[2013.02.28 03:00:32 | 000,333,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d3d10_1core.dll
[2013.02.28 03:00:32 | 000,296,960 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d3d10core.dll
[2013.02.28 03:00:32 | 000,005,632 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-downlevel-shlwapi-l2-1-0.dll
[2013.02.28 03:00:32 | 000,005,632 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-downlevel-shlwapi-l2-1-0.dll
[2013.02.28 03:00:32 | 000,005,632 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-downlevel-ole32-l1-1-0.dll
[2013.02.28 03:00:32 | 000,005,632 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-downlevel-ole32-l1-1-0.dll
[2013.02.28 03:00:32 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-downlevel-user32-l1-1-0.dll
[2013.02.28 03:00:32 | 000,004,096 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysNative\api-ms-win-downlevel-user32-l1-1-0.dll
[2013.02.28 03:00:32 | 000,003,072 | -H-- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\api-ms-win-downlevel-shell32-l1-1-0.dll
[2013.02.28 03:00:31 | 003,928,064 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\d2d1.dll
[2013.02.28 03:00:31 | 001,643,520 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\DWrite.dll
[2013.02.28 03:00:31 | 001,424,384 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\WindowsCodecs.dll
[2013.02.28 03:00:31 | 000,245,248 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\WindowsCodecsExt.dll
[2013.02.24 14:18:40 | 000,000,000 | ---D | C] -- C:\Users\xxx\AppData\Local\{8FBC6EAA-4236-4C81-A446-A9014C96BC00}
[2013.02.23 19:23:11 | 000,000,000 | ---D | C] -- C:\Users\xxx\AppData\Local\{D8C77060-3BB6-422F-87D8-7C48028A5AD1}
[2013.02.23 19:17:57 | 000,000,000 | ---D | C] -- C:\Users\xxx\AppData\Local\{9601227F-128C-4024-AF81-216AADF36C66}
[2013.02.23 14:35:23 | 000,000,000 | ---D | C] -- C:\Users\xxx\AppData\Local\{FCC6F977-2511-497E-9223-5878583D9AEE}
[2013.02.23 14:25:55 | 000,000,000 | ---D | C] -- C:\Users\xxx\AppData\Local\{FC396C05-8809-43CE-B137-12296C2425ED}
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
 
========== Files - Modified Within 30 Days ==========
 
[2013.03.18 22:28:37 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\xxx\Desktop\OTL.exe
[2013.03.18 22:07:00 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2013.03.18 21:51:26 | 000,016,752 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2013.03.18 21:51:26 | 000,016,752 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2013.03.18 21:51:00 | 000,001,110 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2013.03.18 21:44:13 | 000,001,106 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2013.03.18 21:43:15 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2013.03.18 21:43:13 | 3206,787,072 | -HS- | M] () -- C:\hiberfil.sys
[2013.03.18 18:53:01 | 000,377,856 | ---- | M] () -- C:\Users\xxx\Desktop\83n5yfzz.exe
[2013.03.18 18:19:25 | 000,000,000 | ---- | M] () -- C:\Users\xxx\defogger_reenable
[2013.03.18 18:18:09 | 000,050,477 | ---- | M] () -- C:\Users\xxx\Desktop\Defogger.exe
[2013.03.18 16:28:36 | 000,001,117 | ---- | M] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
[2013.03.18 16:20:42 | 000,001,530 | ---- | M] () -- C:\Users\xxx\Desktop\orgaMAX starten....lnk
[2013.03.18 12:36:27 | 000,001,926 | ---- | M] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk
[2013.03.18 12:36:23 | 000,000,000 | ---- | M] () -- C:\Windows\SysWow64\config.nt
[2013.03.12 20:07:25 | 000,693,976 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerApp.exe
[2013.03.12 20:07:25 | 000,073,432 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
[2013.03.07 00:33:21 | 001,025,808 | ---- | M] (AVAST Software) -- C:\Windows\SysNative\drivers\aswSnx.sys
[2013.03.07 00:33:21 | 000,377,920 | ---- | M] (AVAST Software) -- C:\Windows\SysNative\drivers\aswSP.sys
[2013.03.07 00:33:21 | 000,178,624 | ---- | M] () -- C:\Windows\SysNative\drivers\aswVmm.sys
[2013.03.07 00:33:21 | 000,070,992 | ---- | M] (AVAST Software) -- C:\Windows\SysNative\drivers\aswRdr2.sys
[2013.03.07 00:33:21 | 000,068,920 | ---- | M] (AVAST Software) -- C:\Windows\SysNative\drivers\aswTdi.sys
[2013.03.07 00:33:21 | 000,065,336 | ---- | M] () -- C:\Windows\SysNative\drivers\aswRvrt.sys
[2013.03.07 00:33:20 | 000,080,816 | ---- | M] (AVAST Software) -- C:\Windows\SysNative\drivers\aswMonFlt.sys
[2013.03.07 00:33:20 | 000,033,400 | ---- | M] (AVAST Software) -- C:\Windows\SysNative\drivers\aswFsBlk.sys
[2013.03.07 00:32:51 | 000,041,664 | ---- | M] (AVAST Software) -- C:\Windows\avastSS.scr
[2013.03.07 00:32:22 | 000,287,840 | ---- | M] (AVAST Software) -- C:\Windows\SysNative\aswBoot.exe
[2013.03.06 12:12:15 | 000,001,170 | ---- | M] () -- C:\Users\Public\Desktop\TeamSpeak 3 Client.lnk
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
 
========== Files Created - No Company Name ==========
 
[2013.03.18 18:53:00 | 000,377,856 | ---- | C] () -- C:\Users\xxx\Desktop\83n5yfzz.exe
[2013.03.18 18:19:25 | 000,000,000 | ---- | C] () -- C:\Users\xxx\defogger_reenable
[2013.03.18 18:18:01 | 000,050,477 | ---- | C] () -- C:\Users\xxx\Desktop\Defogger.exe
[2013.03.18 16:28:36 | 000,001,117 | ---- | C] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
[2013.03.18 16:20:42 | 000,001,530 | ---- | C] () -- C:\Users\xxx\Desktop\orgaMAX starten....lnk
[2013.03.18 12:36:27 | 000,001,926 | ---- | C] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk
[2013.03.18 12:36:23 | 000,178,624 | ---- | C] () -- C:\Windows\SysNative\drivers\aswVmm.sys
[2013.03.18 12:36:23 | 000,065,336 | ---- | C] () -- C:\Windows\SysNative\drivers\aswRvrt.sys
[2013.03.18 12:36:23 | 000,000,000 | ---- | C] () -- C:\Windows\SysWow64\config.nt
[2013.03.06 12:12:15 | 000,001,170 | ---- | C] () -- C:\Users\Public\Desktop\TeamSpeak 3 Client.lnk
[2011.11.23 19:20:22 | 000,204,952 | ---- | C] () -- C:\Windows\SysWow64\ativvsvl.dat
[2011.11.23 19:20:22 | 000,157,144 | ---- | C] () -- C:\Windows\SysWow64\ativvsva.dat
[2011.11.23 19:20:21 | 000,003,917 | ---- | C] () -- C:\Windows\SysWow64\atipblag.dat
[2011.10.14 01:53:18 | 000,056,832 | ---- | C] () -- C:\Windows\SysWow64\OpenVideo.dll
[2011.10.14 01:53:02 | 000,056,832 | ---- | C] () -- C:\Windows\SysWow64\OVDecoder.dll
[2011.08.22 17:19:31 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2011.07.08 07:37:28 | 000,053,760 | ---- | C] () -- C:\Windows\SysWow64\OVDecode.dll
 
========== ZeroAccess Check ==========
 
[2009.07.14 05:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
 
[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64
 
[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
"" = C:\Windows\SysNative\shell32.dll -- [2012.06.09 06:43:10 | 014,172,672 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012.06.09 05:41:00 | 012,873,728 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009.07.14 02:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2010.11.21 04:24:25 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009.07.14 02:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
 
========== LOP Check ==========
 
[2013.03.18 12:22:10 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\QuickScan
[2013.03.08 21:03:30 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\TS3Client
[2012.10.28 13:49:18 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\wargaming.net
 
========== Purity Check ==========
 
 

< End of report >

--- --- ---

OTL Logfile:

Code:

ATTFilter

OTL Extras logfile created on: 18.03.2013 22:31:08 - Run 1
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Users\xxx\Desktop
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
3,98 Gb Total Physical Memory | 1,97 Gb Available Physical Memory | 49,43% Memory free
7,96 Gb Paging File | 5,35 Gb Available in Paging File | 67,19% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 1346,17 Gb Total Space | 1287,11 Gb Free Space | 95,61% Space Free | Partition Type: NTFS
Drive D: | 50,00 Gb Total Space | 30,31 Gb Free Space | 60,63% Space Free | Partition Type: NTFS
 
Computer Name: xxx | User Name: xxx | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Extra Registry (SafeList) ==========
 
 
========== File Associations ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html[@ = ChromeHTML] -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.)
.url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)
.html [@ = ChromeHTML] -- C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.)
 
[HKEY_USERS\.DEFAULT\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found
 
[HKEY_USERS\S-1-5-18\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found
 
========== Shell Spawning ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
http [open] -- "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
https [open] -- "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
http [open] -- "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
https [open] -- "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
========== Security Center Settings ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01  [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring" = 1
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
 
========== Firewall Settings ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
"DoNotAllowExceptions" = 1
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
"DoNotAllowExceptions" = 1
 
========== Authorized Applications List ==========
 
 
========== Vista Active Open Ports Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{17D6C6DA-8DE9-4ACA-993D-D38ED9D38EF2}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 | 
"{19E9D026-36C8-4B8F-B95D-FA94BA6E24B8}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | 
"{2491D450-9142-4885-9B4A-6C59B2AEE6B1}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe | 
"{2B1CBC75-C088-4A1D-AFF7-204DECA9A1C6}" = rport=137 | protocol=17 | dir=out | app=system | 
"{506537C0-7711-459B-B8A6-5D614C1F7E23}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe | 
"{608C8945-66C1-4834-8F5D-E3D824F83B8C}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe | 
"{686DD731-87A3-4650-8901-8F543C19DD3C}" = rport=139 | protocol=6 | dir=out | app=system | 
"{7045F7A5-0287-46C5-879A-D2E8F2058773}" = rport=138 | protocol=17 | dir=out | app=system | 
"{7D74DA82-7ED5-4108-BAB2-3D93FB8F9FA4}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe | 
"{A54742DE-4996-4739-8CA7-3CC121327B32}" = lport=138 | protocol=17 | dir=in | app=system | 
"{A5A98264-8D8C-4FEE-A4DC-31BAA38195C5}" = lport=445 | protocol=6 | dir=in | app=system | 
"{A9F533F3-4931-4F18-A9E0-D0CF37DCF93E}" = lport=10243 | protocol=6 | dir=in | app=system | 
"{AC7D0FCB-8C69-41B6-9E98-FCB5E914DC09}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe | 
"{AF5427AC-F8B7-4134-946A-4749DA8EA1D6}" = lport=1900 | protocol=17 | dir=in | name=windows live communications platform (ssdp) | 
"{B31735F3-E6CA-43F7-BA9D-EA9BB706E2CC}" = lport=2869 | protocol=6 | dir=in | app=system | 
"{C9A8CC88-2CB8-4858-B9CE-70CC8FC9A1D6}" = lport=139 | protocol=6 | dir=in | app=system | 
"{CFC171B7-5612-49F8-AAA2-1AD122B0927B}" = rport=445 | protocol=6 | dir=out | app=system | 
"{DB7BF9A4-365E-456E-BFF9-FC00D4B0C0A4}" = lport=137 | protocol=17 | dir=in | app=system | 
"{DC1D2713-4CFE-40FF-8D4A-D1E2C85C06D5}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe | 
"{DE90CC1D-8DF4-47FF-928D-EB0822A8B8A7}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe | 
"{E220618C-E7C9-4AB4-9555-0CD49B2A6986}" = lport=2869 | protocol=6 | dir=in | name=windows live communications platform (upnp) | 
"{E2EEB778-5BAA-4E63-8FE9-DE3C1178224E}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | 
"{F51FD37F-463D-4285-B1D8-A049FF042763}" = rport=10243 | protocol=6 | dir=out | app=system | 
 
========== Vista Active Application Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{1CF126D0-F3EA-4073-8E73-F83C088A39CB}" = dir=in | app=c:\program files (x86)\windows live\mesh\moe.exe | 
"{1E751F78-9EAE-4A7D-8B52-6B81C05EF0FC}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 | 
"{29669699-480D-4112-897D-3BA147724AE4}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe | 
"{3100D1A7-56A3-49C4-8161-CF085C7CC89A}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 | 
"{3527B27C-6BCE-4707-9E97-F73D6833AE4B}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe | 
"{37A27C12-2EB0-4555-BE3A-808D65174ECC}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe | 
"{394C279B-A714-41A7-9F9E-3D88EF96CE64}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe | 
"{462E8187-7C63-42D2-B6CC-196E6DBE2FC7}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 | 
"{47B95C46-49FD-4ADD-8862-06FF01BCCF05}" = protocol=17 | dir=in | app=%programfiles(x86)%\windows media player\wmplayer.exe | 
"{7E15BA72-6F59-4DE9-A6A7-417B81451CE6}" = dir=in | app=c:\program files (x86)\windows live\messenger\msnmsgr.exe | 
"{8393C35D-94BA-4D01-B093-220CF7F7C416}" = protocol=6 | dir=in | app=c:\program files (x86)\pando networks\media booster\pmb.exe | 
"{94074E97-6F20-4A18-A792-4F9B3B9E7FE4}" = protocol=17 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe | 
"{97C62463-4293-433F-9DBF-6526C035A645}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | 
"{99FA355D-88C1-4289-9F38-6782266D5D9E}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | 
"{9BB0998D-3EDC-49FB-A07A-16488FD1EE06}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe | 
"{B32E856D-EDAC-406D-898E-276DE0968C29}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 | 
"{B3FAB248-2580-40AA-B601-52BD4B2C8104}" = protocol=6 | dir=out | app=system | 
"{C57268E1-05A9-41CC-8780-662BB65C0D33}" = protocol=6 | dir=in | app=c:\program files (x86)\pando networks\media booster\pmb.exe | 
"{CCA743F8-CE9A-452C-9243-EC8B73208AEA}" = dir=in | app=c:\program files (x86)\windows live\contacts\wlcomm.exe | 
"{D3E8BB65-F2F9-42C8-AD5B-6A065E6B71FA}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe | 
"{E4EC6113-E0DC-46C0-964E-B45A9D853B1E}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | 
"{EE942323-7136-4FE5-BE83-4115CB420AFB}" = dir=in | app=c:\program files (x86)\pando networks\media booster\pmb.exe | 
"{F14845A9-04E9-403B-B262-AAB2D4DB8C90}" = protocol=6 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe | 
"{F22212F7-1CAB-46BB-A482-F38E3BA38D6C}" = protocol=17 | dir=in | app=c:\program files (x86)\pando networks\media booster\pmb.exe | 
"{F245FEA1-6EC6-4D0A-BFCC-968C5E35FDB7}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe | 
"{FCEECF84-41B1-4472-9227-DF4CE0E65D33}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe | 
"{FDCDBA28-0F95-4AB5-BBC6-7148278C41D3}" = protocol=17 | dir=in | app=c:\program files (x86)\pando networks\media booster\pmb.exe | 
 
========== HKEY_LOCAL_MACHINE Uninstall List ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{07ECB2CD-DC4D-9170-0832-6D0241F282E9}" = AMD AVIVO64 Codecs
"{180C8888-50F1-426B-A9DC-AB83A1989C65}" = Windows Live Language Selector
"{19F09425-3C20-4730-9E2A-FC2E17C9F362}" = Windows Live Remote Service Resources
"{1ACC8FFB-9D84-4C05-A4DE-D28A9BC91698}" = Windows Live ID Sign-in Assistant
"{1EB2CFC3-E1C5-4FC4-B1F8-549DD6242C67}" = Windows Live Remote Service Resources
"{2426E29F-9E8C-4C0B-97FC-0DB690C1ED98}" = Windows Live Remote Client Resources
"{2F304EF4-0C31-47F4-8557-0641AAE4197C}" = Windows Live Remote Client Resources
"{2F949F9F-EBD4-8597-5CF0-6370C0161CC9}" = AMD Catalyst Install Manager
"{3BFAF653-4B91-2C87-82FE-DAF4C0F7BF18}" = AMD Drag and Drop Transcoding
"{455196BE-3B39-D0C3-0DB4-7F572F9DAC9A}" = ccc-utility64
"{456FB9B5-AFBC-4761-BBDC-BA6BAFBB818F}" = Windows Live Remote Client Resources
"{480F28F0-8BCE-404A-A52E-0DBB7D1CE2EF}" = Windows Live Remote Service Resources
"{4EC57D6F-D4B2-DA64-DA3D-AA974526BA29}" = AMD Media Foundation Decoders
"{503F672D-6C84-448A-8F8F-4BC35AC83441}" = AMD APP SDK Runtime
"{5151E2DB-0748-4FD1-86A2-72E2F94F8BE7}" = Windows Live Remote Service Resources
"{5E2CD4FB-4538-4831-8176-05D653C3E6D4}" = Windows Live Remote Service Resources
"{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
"{5FEAD3E5-A158-4B66-B92B-0C959D7CF838}" = Windows Live Remote Service Resources
"{656DEEDE-F6AC-47CA-A568-A1B4E34B5760}" = Windows Live Remote Service Resources
"{692CCE55-9EAE-4F57-A834-092882E7FE0B}" = Windows Live Remote Client Resources
"{6C9D3F1D-DBBE-46F9-96A0-726CC72935AF}" = Windows Live Remote Service Resources
"{6CBFDC3C-CF21-4C02-A6DC-A5A2707FAF55}" = Windows Live Remote Service Resources
"{847B0532-55E3-4AAF-8D7B-E3A1A7CD17E5}" = Windows Live Remote Client Resources
"{850B8072-2EA7-4EDC-B930-7FE569495E76}" = Windows Live Remote Client Resources
"{8970AE69-40BE-4058-9916-0ACB1B974A3D}" = Windows Live Remote Client Resources
"{8EB588BD-D398-40D0-ADF7-BE1CEEF7C116}" = Windows Live Remote Client Resources
"{95120000-00B9-0409-1000-0000000FF1CE}" = Microsoft Application Error Reporting
"{A679FBE4-BA2D-4514-8834-030982C8B31A}" = Windows Live Remote Service Resources
"{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}" = Microsoft Visual C++ 2005 Redistributable (x64)
"{B6E3757B-5E77-3915-866A-CCFC4B8D194C}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053
"{B750FA38-7AB0-42CB-ACBB-E7DBE9FF603F}" = Windows Live Remote Client Resources
"{BCA9334F-B6C9-4F65-9A73-AC5A329A4D04}" = PlayReady PC Runtime amd64
"{C9F05151-95A9-4B9B-B534-1760E2D014A5}" = Windows Live Remote Client Resources
"{D1C1556C-7FF3-48A3-A5D6-7126F0FAFB66}" = Windows Live Remote Client Resources
"{D3E4F422-7E0F-49C7-8B00-F42490D7A385}" = Windows Live Remote Service Resources
"{D5876F0A-B2E9-4376-B9F5-CD47B7B8D820}" = Windows Live Remote Client Resources
"{D930AF5C-5193-4616-887D-B974CEFC4970}" = Windows Live Remote Service Resources
"{DA54F80E-261C-41A2-A855-549A144F2F59}" = Windows Live MIME IFilter
"{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}" = Microsoft Visual C++ 2010  x64 Redistributable - 10.0.30319
"{DBEDAF67-C5A3-4C91-951D-31F3FE63AF3F}" = Windows Live Remote Client Resources
"{DF6D988A-EEA0-4277-AAB8-158E086E439B}" = Windows Live Remote Client
"{E02A6548-6FDE-40E2-8ED9-119D7D7E641F}" = Windows Live Remote Service
"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
"{F6CB2C5F-B2C1-4DF1-BF44-39D0DC06FE6F}" = Windows Live Remote Service Resources
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00884F14-05BD-4D8E-90E5-1ABF78948CA4}" = Windows Live Mesh
"{0269C1CD-92C4-B8B4-6A13-4287CB880CDF}" = CCC Help Finnish
"{04668DF2-D32F-4555-9C7E-35523DCD6544}" = Control ActiveX de Windows Live Mesh para conexiones remotas
"{05E379CC-F626-4E7D-8354-463865B303BF}" = Windows Live UX Platform Language Pack
"{05FFC359-64F3-A1C7-16A6-4BECC05D0519}" = CCC Help Norwegian
"{062E4D94-8306-46D5-81B6-45E6AD09C799}" = Windows Live Messenger
"{0654EA5D-308A-4196-882B-5C09744A5D81}" = Windows Live Photo Common
"{09922FFE-D153-44AE-8B60-EA3CB8088F93}" = Windows Live UX Platform Language Pack
"{0ABBF310-94E4-4AE8-A6BD-10345A3F6439}" = Google Drive
"{0B0F231F-CE6A-483D-AA23-77B364F75917}" = Windows Live Installer
"{0C1931EB-8339-4837-8BEC-75029BF42734}" = Windows Live UX Platform Language Pack
"{0D261C88-454B-46FE-B43B-640E621BDA11}" = Windows Live Mail
"{0EC0B576-90F9-43C3-8FAD-A4902DF4B8F4}" = Galeria de Fotografias do Windows Live
"{10186F1A-6A14-43DF-A404-F0105D09BB07}" = Windows Live Mail
"{1203DC60-D9BD-44F9-B372-2B8F227E6094}" = Windows Live Temel Parçalar
"{14B441B7-774D-4170-98EA-A13667AE6218}" = Windows Live Writer Resources
"{17F99FCE-8F03-4439-860A-25C5A5434E18}" = Windows Live Essentials
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{198EA334-8A3F-4CB2-9D61-6C10B8168A6F}" = Windows Live Writer
"{19BA08F7-C728-469C-8A35-BFBD3633BE08}" = Windows Live Movie Maker
"{1BA1DBDC-5431-46FD-A66F-A17EB1C439EE}" = Windows Live Messenger
"{1D6C2068-807F-4B76-A0C2-62ED05656593}" = Windows Live Writer
"{1DDB95A4-FD7B-4517-B3F1-2BCAA96879E6}" = Windows Live Writer Resources
"{1EAC1D02-C6AC-4FA6-9A44-96258C37C812}_is1" = World of Tanks
"{1F6AB0E7-8CDD-4B93-8A23-AA9EB2FEFCE4}" = Junk Mail filter update
"{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = Medion Home Cinema
"{1FC83EAE-74C8-4C72-8400-2D8E40A017DE}" = Windows Live Writer
"{200FEC62-3C34-4D60-9CE8-EC372E01C08F}" = Windows Live SOXE Definitions
"{20E7F0EE-DE26-3287-FFB2-11F33ECE35F3}" = CCC Help Italian
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{241E7104-937A-4366-AD57-8FDDDB003939}" = Uzak Bağlantılar İçin Windows Live Mesh ActiveX Denetimi
"{25A381E1-0AB9-4E7A-ACCE-BA49D519CF4E}" = Windows Live Mail
"{26A24AE4-039D-4CA4-87B4-2F83216029FF}" = Java(TM) 6 Update 29
"{26E3C07C-7FF7-4362-9E99-9E49E383CF16}" = Windows Live Writer Resources
"{2902F983-B4C1-44BA-B85D-5C6D52E2C441}" = Windows Live Mesh ActiveX Control for Remote Connections
"{2A07C35B-8384-4DA4-9A95-442B6C89A073}" = Windows Live Essentials
"{2A3FC24C-6EC0-4519-A52B-FDA4EA9B2D24}" = Windows Live Messenger
"{2EF1CACD-24D7-DD2C-627B-AEFD3B951C6E}" = CCC Help English
"{2F54E453-8C93-4B3B-936A-233C909E6CAC}" = Windows Live Messenger
"{2FB06C2A-0D2F-1962-532A-AEC79851E241}" = CCC Help Dutch
"{3125D9DE-8D7A-4987-95F3-8A42389833D8}" = Windows Live Writer Resources
"{324F76CC-D8DD-4D87-B77D-D4AF5E1AA7B3}" = CyberLink WaveEditor
"{3336F667-9049-4D46-98B6-4C743EEBC5B1}" = Windows Live Photo Gallery
"{34319F1F-7CF2-4CC9-B357-1AE7D2FF3AC5}" = Windows Live
"{34F4D9A4-42C2-4348-BEF4-E553C84549E7}" = Windows Live Photo Gallery
"{370F888E-42A7-4911-9E34-7D74632E17EB}" = Windows Live Photo Common
"{37B33B16-2535-49E7-8990-32668708A0A3}" = Windows Live UX Platform Language Pack
"{3B9A92DA-6374-4872-B646-253F18624D5F}" = Windows Live Writer
"{3CA5E31B-3294-4352-A7D7-A156763779E9}" = NavyFIELD Europa
"{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}" = Intel(R) Rapid Storage Technology
"{3F4143A1-9C21-4011-8679-3BC1014C6886}" = Windows Live Mesh
"{409DC300-28AF-468F-9624-1F3309701881}" = watchmi
"{40BF1E83-20EB-11D8-97C5-0009C5020658}" = CyberLink Power2Go
"{40BFD84C-64CD-42CC-9909-8734C50429C6}" = Windows Live UX Platform Language Pack
"{410DF0AA-882D-450D-9E1B-F5397ACFFA80}" = Windows Live Essentials
"{429DF1A0-3610-4E9E-8ACE-3C8AC1BA8FCA}" = Windows Live Photo Gallery
"{443B561F-DE1B-4DEF-ADD9-484B684653C7}" = Windows Live Messenger
"{44B2A0AB-412E-4F8C-B058-D1E8AECCDFF5}" = CyberLink PowerRecover
"{45D77EDE-0D5B-30EA-E2D7-85DD18E2088A}" = Catalyst Control Center InstallProxy
"{45E557D6-2271-4F13-8101-C620B4285AB0}" = Kaspersky Internet Security 2012
"{46872828-6453-4138-BE1C-CE35FBF67978}" = Windows Live Mesh
"{48294D95-EE9A-4377-8213-44FC4265FB27}" = Windows Live Messenger
"{488F0347-C4A7-4374-91A7-30818BEDA710}" = Galerie de photos Windows Live
"{48C0DC5E-820A-44F2-890E-29B68EDD3C78}" = Windows Live Writer
"{498765E0-6D72-309A-6019-3F2DDAD6808A}" = CCC Help French
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4B28D47A-5FF0-45F8-8745-11DC2A1C9D0F}" = Windows Live Writer
"{4B744C85-DBB1-4038-B989-4721EB22C582}" = Windows Live Messenger
"{4D141929-141B-4605-95D6-2B8650C1C6DA}" = Windows Live UX Platform Language Pack
"{506FC723-8E6C-4417-9CFF-351F99130425}" = Windows Live UX Platform Language Pack
"{523DF2BB-3A85-4047-9898-29DC8AEB7E69}" = Windows Live UX Platform Language Pack
"{5275D81E-83AD-4DE4-BC2B-6E6BA3A33244}" = Windows Live Writer Resources
"{55118EA0-31F5-A638-4238-50D632B73D64}" = Catalyst Control Center Localization All
"{55D003F4-9599-44BF-BA9E-95D060730DD3}" = Contrôle ActiveX Windows Live Mesh pour connexions à distance
"{56D13BAF-37D4-EC49-AF10-19F3E91B40E1}" = CCC Help Spanish
"{57220148-3B2B-412A-A2E0-82B9DF423696}" = Windows Live Mesh ActiveX-objekt til fjernforbindelser
"{579684A4-DDD5-4CA3-9EA8-7BE7D9593DB4}" = Windows Live UX Platform Language Pack
"{5AF4B3C4-C393-48D7-AC7E-8E7615579548}" = Adobe AIR
"{5CF5B1A5-CBC3-42F0-8533-5A5090665862}" = Windows Live Mesh
"{5D273F60-0525-48BA-A5FB-D0CAA4A952AE}" = Windows Live Movie Maker
"{60C3C026-DB53-4DAB-8B97-7C1241F9A847}" = Windows Live Movie Maker
"{62687B11-58B5-4A18-9BC3-9DF4CE03F194}" = Windows Live Writer Resources
"{63CF7D0C-B6E7-4EE9-8253-816B613CC437}" = Windows Live Mail
"{640798A0-A4FB-4C52-AC72-755134767F1E}" = Windows Live Movie Maker
"{64376910-1860-4CEF-8B34-AA5D205FC5F1}" = Poczta usługi Windows Live
"{65153EA5-8B6E-43B6-857B-C6E4FC25798A}" = Intel(R) Management Engine Components
"{677AAD91-1790-4FC5-B285-0E6A9D65F7DC}" = Windows Live Mail
"{682B3E4F-696A-42DE-A41C-4C07EA1678B4}" = Windows Live SOXE
"{6ABE832B-A5C7-44C1-B697-3E123B7B4D5B}" = Windows Live Mesh
"{6B556C37-8919-4991-AC34-93D018B9EA49}" = Windows Live Photo Common
"{6DEC8BD5-7574-47FA-B080-492BBBE2FEA3}" = Windows Live Movie Maker
"{6E29C4F7-C2C2-4B18-A15C-E09B92065F15}" = Windows Live Mesh ActiveX-vezérlő távoli kapcsolatokhoz
"{6E8AFC13-F7B8-41D8-88AB-F1D0CFC56305}" = Windows Live Messenger
"{7069F9BA-0CC9-08AA-1825-1CB65D90BC24}" = CCC Help Danish
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{71A81378-79D5-40CC-9BDC-380642D1A87F}" = Windows Live Writer
"{71C95134-F6A9-45E7-B7B3-07CA6012BF2A}" = Windows Live Mesh
"{7272F232-A7E0-4B2B-A5D2-71B7C5E2379C}" = Windows Live Fotótár
"{73FC3510-6421-40F7-9503-EDAE4D0CF70D}" = Windows Live Photo Common
"{7496FD31-E5CB-4AE4-82D3-31099558BF6A}" = Windows Live Mesh
"{74E8A7F6-575D-42C7-9178-E87D1B3BEFE8}" = Windows Live UX Platform Language Pack
"{77477AEA-5757-47D8-8B33-939F43D82218}" = Windows Live UX Platform Language Pack
"{78DAE910-CA72-450E-AD22-772CB1A00678}" = Windows Live Mesh
"{7A9D47BA-6D50-4087-866F-0800D8B89383}" = Podstawowe programy Windows Live
"{7BA19818-F717-4DFB-BC11-FAF17B2B8AEE}" = Pošta Windows Live
"{7D1C7B9F-2744-4388-B128-5C75B8BCCC84}" = Windows Live Essentials
"{7E017923-16F8-4E32-94EF-0A150BD196FE}" = Windows Live Writer
"{7E90B133-FF47-48BB-91B8-36FC5A548FE9}" = Windows Live Writer Resources
"{827D3E4A-0186-48B7-9801-7D1E9DD40C07}" = Windows Live Essentials
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{83C292B7-38A5-440B-A731-07070E81A64F}" = Windows Live PIMT Platform
"{841F1FB4-FDF8-461C-A496-3E1CFD84C0B5}" = Windows Live Mesh
"{84267681-BF16-40B6-9564-27BC57D7D71C}" = Windows Live Photo Common
"{85373DA7-834E-4850-8AF5-1D99F7526857}" = Windows Live Photo Common
"{859D4022-B76D-40DE-96EF-C90CDA263F44}" = Windows Live Writer
"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek Ethernet Controller Driver
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8C6D6116-B724-4810-8F2D-D047E6B7D68E}" = Mesh Runtime
"{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT
"{8E666407-AC41-46a2-9692-6C7BFCBFDD37}" = Memeo Instant Backup
"{8FF3891F-01B5-4A71-BFCD-20761890471C}" = Windows Live Messenger
"{92EA4134-10D1-418A-91E1-5A0453131A38}" = Windows Live Movie Maker
"{93E464B3-D075-4989-87FD-A828B5C308B1}" = Windows Live Writer Resources
"{95140000-0070-0000-0000-0000000FF1CE}" = Microsoft Office 2010
"{97490A5C-49CB-468C-1639-9FB58BAA44CD}" = CCC Help Swedish
"{980A182F-E0A2-4A40-94C1-AE0C1235902E}" = Pando Media Booster
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BD262D0-B788-4546-A0A5-F4F56EC3834B}" = Windows Live Photo Common
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9D56775A-93F3-44A3-8092-840E3826DE30}" = Windows Live Mail
"{9FAE6E8D-E686-49F5-A574-0A58DFD9580C}" = Windows Live Mail
"{A0C91188-C88F-4E86-93E6-CD7C9A266649}" = Windows Live Mesh
"{A101F637-2E56-42C0-8E08-F1E9086BFAF3}" = Windows Live Movie Maker
"{A41A708E-3BE6-4561-855D-44027C1CF0F8}" = Windows Live Photo Common
"{A60B3BF0-954B-42AF-B8D8-2C1D34B613AA}" = Windows Live Photo Gallery
"{A7056D45-C63A-4FE4-A69D-FB54EF9B21BB}" = Windows Live Messenger
"{A726AE06-AAA3-43D1-87E3-70F510314F04}" = Windows Live Writer
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A9BDCA6B-3653-467B-AC83-94367DA3BFE3}" = Windows Live Photo Common
"{AAAFC670-569B-4A2F-82B4-42945E0DE3EF}" = Windows Live Writer
"{AAF454FC-82CA-4F29-AB31-6A109485E76E}" = Windows Live Writer
"{AB61A2E9-37D3-485D-9085-19FBDF8CEF4A}" = Windows Live Messenger
"{AC76BA86-7AD7-FFFF-7B44-AA0000000001}" = Adobe Reader X (10.1.2) MUI
"{ACFBE99B-6981-4513-B17E-A2683CEB9EE5}" = Windows Live Mesh
"{ADE85655-8D1E-4E4B-BF88-5E312FB2C74F}" = Windows Live Mail
"{ADFE4AED-7F8E-4658-8D6E-742B15B9F120}" = Windows Live Photo Common
"{B04A0E2F-1E4C-4E61-B18E-3B2BD6779CA7}" = Formant ActiveX programu Windows Live Mesh odpowiedzialny za obsługę połączeń zdalnych
"{B113D18C-67B0-4FB7-B329-E89B66194AE6}" = Windows Live Fotogalerie
"{B1239994-A850-44E2-BED8-E70A21124E16}" = Windows Live Mail
"{B2E90616-C50D-4B89-A40D-92377AC669E5}" = Windows Live Messenger
"{B618C3BF-5142-4630-81DD-F96864F97C7E}" = Windows Live Essentials
"{B7E68A6D-1C9B-4F18-B021-949115021714}" = COMPUTERBILD Vorteil-Center
"{BD695C2F-3EA0-4DA4-92D5-154072468721}" = Windows Live Fotoğraf Galerisi
"{BF022D76-9F72-4203-B8FA-6522DC66DFDA}" = Windows Live Movie Maker
"{BF35168D-F6F9-4202-BA87-86B5E3C9BF7A}" = Windows Live Mesh
"{C00C2A91-6CB3-483F-80B3-2958E29468F1}" = Συλλογή φωτογραφιών του Windows Live
"{C29FC15D-E84B-4EEC-8505-4DED94414C59}" = Windows Live Writer Resources
"{C2AB7DC4-489E-4BE9-887A-52262FBADBE0}" = Windows Live Photo Common
"{C32CE55C-12BA-4951-8797-0967FDEF556F}" = Windows Live Mesh - ActiveX-besturingselement voor externe verbindingen
"{C51AF995-1F7C-465F-A80B-EBBFE7969531}" = CCC Help Japanese
"{C5398A89-516C-4DAF-BA07-EE7949090E56}" = Windows Live Mesh ActiveX control for remote connections
"{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = CyberLink LabelPrint
"{C63A1E60-B6A4-440B-89A5-1FC6E4AC1C94}" = Windows Live Mesh ActiveX Control for Remote Connections
"{C66824E4-CBB3-4851-BB3F-E8CFD6350923}" = Windows Live Mail
"{C8421D85-CA0E-4E93-A9A9-B826C4FB88EA}" = Windows Live Mail
"{C893D8C0-1BA0-4517-B11C-E89B65E72F70}" = Windows Live Photo Common
"{CA227A9D-09BE-4BFB-9764-48FED2DA5454}" = Kontrolnik Windows Live Mesh ActiveX za oddaljene povezave
"{CB3F59BB-7858-41A1-A7EA-4B8A6FC7D431}" = Galeria fotografii usługi Windows Live
"{CB7224D9-6DCA-43F1-8F83-6B1E39A00F92}" = Windows Live Movie Maker
"{CE95A79E-E4FC-4FFF-8A75-29F04B942FF2}" = Windows Live UX Platform
"{CF671BFE-6BA3-44E7-98C1-500D9C51D947}" = Windows Live Photo Gallery
"{D0B44725-3666-492D-BEF6-587A14BD9BD9}" = MSVCRT_amd64
"{D436F577-1695-4D2F-8B44-AC76C99E0002}" = Windows Live Photo Common
"{D45240D3-B6B3-4FF9-B243-54ECE3E10066}" = Windows Live Communications Platform
"{D588365A-AE39-4F27-BDAE-B4E72C8E900C}" = Windows Live Mail
"{D6F25CF9-4E87-43EB-B324-C12BE9CDD668}" = Windows Live UX Platform Language Pack
"{DAEF48AD-89C8-4A93-B1DD-45B7E4FB6071}" = Windows Live Movie Maker
"{DB1208F4-B2FE-44E9-BFE6-8824DBD7891B}" = Windows Live Movie Maker
"{DDC8BDEE-DCAC-404D-8257-3E8D4B782467}" = Windows Live Writer Resources
"{DE7C13A6-E4EA-4296-B0D5-5D7E8AD69501}" = Windows Live Writer
"{DE8F99FD-2FC7-4C98-AA67-2729FDE1F040}" = Windows Live Writer Resources
"{DECDCB7C-58CC-4865-91AF-627F9798FE48}" = Windows Live Mesh
"{DEF91E0F-D266-453D-B6F2-1BA002B40CB6}" = Windows Live Essentials
"{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10
"{E3D04529-6EDB-11D8-A372-0050BAE317E1}" = CyberLink PowerDVD Copy
"{E3E3281A-1D64-D7B4-9574-70E58CA258D5}" = Catalyst Control Center
"{E4E88B54-4777-4659-967A-2EED1E6AFD83}" = Windows Live Movie Maker
"{E4FB0B39-C991-4EE7-95DD-1A1A7857D33D}" = Asmedia ASM104x USB 3.0 Host Controller Driver
"{E54EEB5D-41ED-40FE-B4A8-8565DB81469B}" = Controlo ActiveX do Windows Live Mesh para Ligações Remotas
"{E55E0C35-AC3C-4683-BA2F-834348577B80}" = Windows Live Writer
"{E59969EA-3B5B-4B24-8B94-43842A7FBFE9}" = Fotogalerija Windows Live
"{E5B21F11-6933-4E0B-A25C-7963E3C07D11}" = Windows Live Messenger
"{E5DD4723-FE0B-436E-A815-DC23CF902A0B}" = Windows Live UX Platform Language Pack
"{E727A662-AF9F-4DEE-81C5-F4A1686F3DFC}" = Windows Live Writer Resources
"{E8524B28-3BBB-4763-AC83-0E83FE31C350}" = Windows Live Writer
"{E85A4EFC-82F2-4CEE-8A8E-62FDAD353A66}" = Galería fotográfica de Windows Live
"{E9AD2143-26D5-4201-BED1-19DCC03B407D}" = Windows Live Messenger
"{E9D98402-21AB-4E9F-BF6B-47AF36EF7E97}" = Windows Live Writer Resources
"{ED16B700-D91F-44B0-867C-7EB5253CA38D}" = Raccolta foto di Windows Live
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F3C6C49E-1450-7F9B-1457-B167B8FEB842}" = CCC Help German
"{F665F3B8-01B4-46A9-8E47-FF8DC2208C9F}" = Στοιχείο ελέγχου ActiveX του Windows Live Mesh για απομακρυσμένες συνδέσεις
"{F80E5450-3EF3-4270-B26C-6AC53BEC5E76}" = Windows Live Movie Maker
"{F8A9085D-4C7A-41a9-8A77-C8998A96C421}" = Intel(R) Control Center
"{F95E4EE0-0C6E-4273-B6B9-91FD6F071D76}" = Windows Live Essentials
"{FCDE76CB-989D-4E32-9739-6A272D2B0ED7}" = Windows Live Mesh
"{FE044230-9CA5-43F7-9B58-5AC5A28A1F33}" = Windows Live Essentials
"{FEEF7F78-5876-438B-B554-C4CC426A4302}" = Windows Live Essentials
"{FF3DFA01-1E98-46B4-A065-DA8AD47C9598}" = Windows Live Movie Maker
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"avast" = avast! Free Antivirus
"Google Chrome" = Google Chrome
"InstallShield_{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = Medion Home Cinema
"InstallShield_{324F76CC-D8DD-4D87-B77D-D4AF5E1AA7B3}" = CyberLink WaveEditor
"InstallShield_{40BF1E83-20EB-11D8-97C5-0009C5020658}" = CyberLink Power2Go
"InstallShield_{44B2A0AB-412E-4F8C-B058-D1E8AECCDFF5}" = CyberLink PowerRecover
"InstallShield_{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = CyberLink LabelPrint
"InstallShield_{E3D04529-6EDB-11D8-A372-0050BAE317E1}" = CyberLink PowerDVD Copy
"InstallWIX_{45E557D6-2271-4F13-8101-C620B4285AB0}" = Kaspersky Internet Security 2012
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware Version 1.70.0.1100
"orgaMAX_is1" = orgaMAX Business Software
"TeamSpeak 3 Client" = TeamSpeak 3 Client
"WinLiveSuite" = Windows Live Essentials
 
========== Last 20 Event Log Errors ==========
 
[ Application Events ]
Error - 17.03.2013 05:07:34 | Computer Name = xxx | Source = MemeoBackgroundService | ID = 0
Description = Problem starting Memeo Background Service :Ausnahmefehler "System.Reflection.TargetInvocationException:
 Ein Aufrufziel hat einen Ausnahmefehler verursacht. ---> System.Security.Principal.IdentityNotMappedException:
 Manche oder alle Identitätsverweise konnten nicht übersetzt werden.     bei System.Runtime.Remoting.Channels.Ipc.IpcServerChannel.StartListening(Object
 data)     bei System.Runtime.Remoting.Channels.Ipc.IpcServerChannel..ctor(IDictionary
 properties, IServerChannelSinkProvider sinkProvider, CommonSecurityDescriptor securityDescriptor)

   bei System.Runtime.Remoting.Channels.Ipc.IpcChannel..ctor(IDictionary properties,
 IClientChannelSinkProvider clientSinkProvider, IServerChannelSinkProvider serverSinkProvider)

   --- Ende der internen Ausnahmestapelüberwachung ---     bei System.RuntimeMethodHandle._InvokeConstructor(Object[]
 args, SignatureStruct& signature, IntPtr declaringType)     bei System.Reflection.RuntimeConstructorInfo.Invoke(BindingFlags
 invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)     bei System.RuntimeType.CreateInstanceImpl(BindingFlags
 bindingAttr, Binder binder, Object[] args, CultureInfo culture, Object[] activationAttributes)

   bei System.Runtime.Remoting.RemotingConfigHandler.CreateChannelFromConfigEntry(ChannelEntry
 entry)     bei System.Runtime.Remoting.RemotingConfigHandler.ConfigureChannels(RemotingXmlConfigFileData
 configData, Boolean ensureSecurity)     bei System.Runtime.Remoting.RemotingConfigHandler.ConfigureRemoting(RemotingXmlConfigFileData
 configData, Boolean ensureSecurity)" bei der Remotekonfiguration.   bei System.Runtime.Remoting.RemotingConfigHandler.ConfigureRemoting(RemotingXmlConfigFileData
 configData, Boolean ensureSecurity)     bei System.Runtime.Remoting.RemotingConfiguration.Configure(String
 filename, Boolean ensureSecurity)     bei RemoteServerService.MemeoBackgroundService.OnStart(String[]
 args)
 
Error - 17.03.2013 05:09:05 | Computer Name = xxx | Source = WinMgmt | ID = 10
Description = 
 
Error - 18.03.2013 03:21:30 | Computer Name = xxx | Source = MemeoBackgroundService | ID = 0
Description = Problem starting Memeo Background Service :Ausnahmefehler "System.Reflection.TargetInvocationException:
 Ein Aufrufziel hat einen Ausnahmefehler verursacht. ---> System.Security.Principal.IdentityNotMappedException:
 Manche oder alle Identitätsverweise konnten nicht übersetzt werden.     bei System.Runtime.Remoting.Channels.Ipc.IpcServerChannel.StartListening(Object
 data)     bei System.Runtime.Remoting.Channels.Ipc.IpcServerChannel..ctor(IDictionary
 properties, IServerChannelSinkProvider sinkProvider, CommonSecurityDescriptor securityDescriptor)

   bei System.Runtime.Remoting.Channels.Ipc.IpcChannel..ctor(IDictionary properties,
 IClientChannelSinkProvider clientSinkProvider, IServerChannelSinkProvider serverSinkProvider)

   --- Ende der internen Ausnahmestapelüberwachung ---     bei System.RuntimeMethodHandle._InvokeConstructor(Object[]
 args, SignatureStruct& signature, IntPtr declaringType)     bei System.Reflection.RuntimeConstructorInfo.Invoke(BindingFlags
 invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)     bei System.RuntimeType.CreateInstanceImpl(BindingFlags
 bindingAttr, Binder binder, Object[] args, CultureInfo culture, Object[] activationAttributes)

   bei System.Runtime.Remoting.RemotingConfigHandler.CreateChannelFromConfigEntry(ChannelEntry
 entry)     bei System.Runtime.Remoting.RemotingConfigHandler.ConfigureChannels(RemotingXmlConfigFileData
 configData, Boolean ensureSecurity)     bei System.Runtime.Remoting.RemotingConfigHandler.ConfigureRemoting(RemotingXmlConfigFileData
 configData, Boolean ensureSecurity)" bei der Remotekonfiguration.   bei System.Runtime.Remoting.RemotingConfigHandler.ConfigureRemoting(RemotingXmlConfigFileData
 configData, Boolean ensureSecurity)     bei System.Runtime.Remoting.RemotingConfiguration.Configure(String
 filename, Boolean ensureSecurity)     bei RemoteServerService.MemeoBackgroundService.OnStart(String[]
 args)
 
Error - 18.03.2013 03:23:05 | Computer Name = xxx | Source = WinMgmt | ID = 10
Description = 
 
Error - 18.03.2013 06:24:17 | Computer Name = xxx | Source = MemeoBackgroundService | ID = 0
Description = Problem starting Memeo Background Service :Ausnahmefehler "System.Reflection.TargetInvocationException:
 Ein Aufrufziel hat einen Ausnahmefehler verursacht. ---> System.Security.Principal.IdentityNotMappedException:
 Manche oder alle Identitätsverweise konnten nicht übersetzt werden.     bei System.Runtime.Remoting.Channels.Ipc.IpcServerChannel.StartListening(Object
 data)     bei System.Runtime.Remoting.Channels.Ipc.IpcServerChannel..ctor(IDictionary
 properties, IServerChannelSinkProvider sinkProvider, CommonSecurityDescriptor securityDescriptor)

   bei System.Runtime.Remoting.Channels.Ipc.IpcChannel..ctor(IDictionary properties,
 IClientChannelSinkProvider clientSinkProvider, IServerChannelSinkProvider serverSinkProvider)

   --- Ende der internen Ausnahmestapelüberwachung ---     bei System.RuntimeMethodHandle._InvokeConstructor(Object[]
 args, SignatureStruct& signature, IntPtr declaringType)     bei System.Reflection.RuntimeConstructorInfo.Invoke(BindingFlags
 invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)     bei System.RuntimeType.CreateInstanceImpl(BindingFlags
 bindingAttr, Binder binder, Object[] args, CultureInfo culture, Object[] activationAttributes)

   bei System.Runtime.Remoting.RemotingConfigHandler.CreateChannelFromConfigEntry(ChannelEntry
 entry)     bei System.Runtime.Remoting.RemotingConfigHandler.ConfigureChannels(RemotingXmlConfigFileData
 configData, Boolean ensureSecurity)     bei System.Runtime.Remoting.RemotingConfigHandler.ConfigureRemoting(RemotingXmlConfigFileData
 configData, Boolean ensureSecurity)" bei der Remotekonfiguration.   bei System.Runtime.Remoting.RemotingConfigHandler.ConfigureRemoting(RemotingXmlConfigFileData
 configData, Boolean ensureSecurity)     bei System.Runtime.Remoting.RemotingConfiguration.Configure(String
 filename, Boolean ensureSecurity)     bei RemoteServerService.MemeoBackgroundService.OnStart(String[]
 args)
 
Error - 18.03.2013 06:25:52 | Computer Name = xxx| Source = WinMgmt | ID = 10
Description = 
 
Error - 18.03.2013 07:20:35 | Computer Name = xxx | Source = MsiInstaller | ID = 10005
Description = 
 
Error - 18.03.2013 13:16:59 | Computer Name = xxx | Source = Application Error | ID = 1000
Description = Name der fehlerhaften Anwendung: iexplore.exe, Version: 9.0.8112.16470,
 Zeitstempel: 0x510c8801  Name des fehlerhaften Moduls: aswWebRepIE.dll, Version: 
8.0.1483.72, Zeitstempel: 0x5137d145  Ausnahmecode: 0xc0000005  Fehleroffset: 0x00007cb8
ID
 des fehlerhaften Prozesses: 0x1bfc  Startzeit der fehlerhaften Anwendung: 0x01ce23d12444ed83
Pfad
 der fehlerhaften Anwendung: C:\Program Files (x86)\Internet Explorer\iexplore.exe
Pfad
 des fehlerhaften Moduls: C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll  Berichtskennung:
 a3e7eb64-8fef-11e2-ba54-8c89a59ba218
 
Error - 18.03.2013 16:43:56 | Computer Name = xxx | Source = MemeoBackgroundService | ID = 0
Description = Problem starting Memeo Background Service :Ausnahmefehler "System.Reflection.TargetInvocationException:
 Ein Aufrufziel hat einen Ausnahmefehler verursacht. ---> System.Security.Principal.IdentityNotMappedException:
 Manche oder alle Identitätsverweise konnten nicht übersetzt werden.     bei System.Runtime.Remoting.Channels.Ipc.IpcServerChannel.StartListening(Object
 data)     bei System.Runtime.Remoting.Channels.Ipc.IpcServerChannel..ctor(IDictionary
 properties, IServerChannelSinkProvider sinkProvider, CommonSecurityDescriptor securityDescriptor)

   bei System.Runtime.Remoting.Channels.Ipc.IpcChannel..ctor(IDictionary properties,
 IClientChannelSinkProvider clientSinkProvider, IServerChannelSinkProvider serverSinkProvider)

   --- Ende der internen Ausnahmestapelüberwachung ---     bei System.RuntimeMethodHandle._InvokeConstructor(Object[]
 args, SignatureStruct& signature, IntPtr declaringType)     bei System.Reflection.RuntimeConstructorInfo.Invoke(BindingFlags
 invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)     bei System.RuntimeType.CreateInstanceImpl(BindingFlags
 bindingAttr, Binder binder, Object[] args, CultureInfo culture, Object[] activationAttributes)

   bei System.Runtime.Remoting.RemotingConfigHandler.CreateChannelFromConfigEntry(ChannelEntry
 entry)     bei System.Runtime.Remoting.RemotingConfigHandler.ConfigureChannels(RemotingXmlConfigFileData
 configData, Boolean ensureSecurity)     bei System.Runtime.Remoting.RemotingConfigHandler.ConfigureRemoting(RemotingXmlConfigFileData
 configData, Boolean ensureSecurity)" bei der Remotekonfiguration.   bei System.Runtime.Remoting.RemotingConfigHandler.ConfigureRemoting(RemotingXmlConfigFileData
 configData, Boolean ensureSecurity)     bei System.Runtime.Remoting.RemotingConfiguration.Configure(String
 filename, Boolean ensureSecurity)     bei RemoteServerService.MemeoBackgroundService.OnStart(String[]
 args)
 
Error - 18.03.2013 16:44:59 | Computer Name = xxx | Source = WinMgmt | ID = 10
Description = 
 
[ System Events ]
Error - 13.01.2013 02:37:30 | Computer Name = xxx | Source = EventLog | ID = 6008
Description = Das System wurde zuvor am ?12.?01.?2013 um 17:21:50 unerwartet heruntergefahren.
 
Error - 16.01.2013 12:31:55 | Computer Name = xxx | Source = EventLog | ID = 6008
Description = Das System wurde zuvor am ?16.?01.?2013 um 07:53:33 unerwartet heruntergefahren.
 
Error - 21.01.2013 14:45:41 | Computer Name = xxx | Source = EventLog | ID = 6008
Description = Das System wurde zuvor am ?21.?01.?2013 um 09:17:30 unerwartet heruntergefahren.
 
Error - 01.02.2013 02:21:02 | Computer Name = xxx | Source = EventLog | ID = 6008
Description = Das System wurde zuvor am ?01.?02.?2013 um 00:52:19 unerwartet heruntergefahren.
 
Error - 04.02.2013 14:03:31 | Computer Name = xxx | Source = EventLog | ID = 6008
Description = Das System wurde zuvor am ?04.?02.?2013 um 07:52:24 unerwartet heruntergefahren.
 
Error - 11.02.2013 14:04:59 | Computer Name = xxx | Source = EventLog | ID = 6008
Description = Das System wurde zuvor am ?11.?02.?2013 um 07:52:48 unerwartet heruntergefahren.
 
Error - 18.02.2013 02:18:04 | Computer Name = xxx | Source = EventLog | ID = 6008
Description = Das System wurde zuvor am ?17.?02.?2013 um 22:47:50 unerwartet heruntergefahren.
 
Error - 23.02.2013 14:21:41 | Computer Name = xxx | Source = EventLog | ID = 6008
Description = Das System wurde zuvor am ?23.?02.?2013 um 19:18:58 unerwartet heruntergefahren.
 
Error - 06.03.2013 02:35:55 | Computer Name = xxx | Source = EventLog | ID = 6008
Description = Das System wurde zuvor am ?06.?03.?2013 um 00:10:31 unerwartet heruntergefahren.
 
Error - 07.03.2013 02:25:54 | Computer Name = xxx | Source = EventLog | ID = 6008
Description = Das System wurde zuvor am ?07.?03.?2013 um 03:07:03 unerwartet heruntergefahren.
 
 
< End of report >

--- --- ---

aharonov · 18.03.2013, 23:18

Hi,

ok, dann mach so weiter:

Schritt 1

Warnung für Mitleser:
Combofix sollte nur dann ausgeführt werden, wenn dies explizit von einem Teammitglied angewiesen wurde!

Downloade dir bitte Combofix.

WICHTIG: Speichere Combofix auf deinen Desktop.
Deaktiviere bitte alle deine Antivirensoftware sowie Malware/Spyware Scanner. Diese können Combofix bei der Arbeit stören.
Starte die Combofix.exe und folge den Anweisungen auf dem Bildschirm.
Während Combofix läuft, bitte gar nichts am Computer arbeiten, auch nicht die Maus bewegen!
Wenn Combofix fertig ist, wird es ein Logfile erstellen (C:\Combofix.txt).
Bitte poste den Inhalt dieses Logfiles in deiner nächsten Antwort.

Hinweis: Solltest du nach dem Neustart folgende Fehlermeldung erhalten

Zitat:

Es wurde versucht, einen Registrierungsschlüssel einem ungültigen Vorgang zu unterziehen, der zum Löschen markiert wurde.

starte den Rechner einfach neu. Dies sollte das Problem beheben.

Schritt 2

Starte bitte die OTL.exe.

Setze den Haken bei Scan all Users.
Drücke auf den Quick Scan Button.
Poste den Inhalt von OTL.txt hier in den Thread.

Bitte poste in deiner nächsten Antwort:

Log von Combofix
Log von OTL

TomFinn · 19.03.2013, 00:00

Hi,

so combofix ist durch, Neustart lief ohne Probleme.

anbei logfiles...

Combofix Logfile:

Code:

ATTFilter

ComboFix 13-03-17.01 - xxx  18.03.2013  23:34:48.1.4 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.49.1031.18.4078.2205 [GMT 1:00]
ausgeführt von:: c:\users\xxx\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
AV: Kaspersky Internet Security *Disabled/Outdated* {2EAA32A5-1EE1-1B22-95DA-337730C6E984}
FW: Kaspersky Internet Security *Disabled* {1691B380-548E-1A7A-BE85-9A42CE15AEFF}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Kaspersky Internet Security *Disabled/Updated* {95CBD341-38DB-14AC-AF6A-08054B41A339}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((   Dateien erstellt von 2013-02-18 bis 2013-03-18  ))))))))))))))))))))))))))))))
.
.
2013-03-18 22:38 . 2013-03-18 22:38	--------	d-----w-	c:\users\Default\AppData\Local\temp
2013-03-18 15:28 . 2013-03-18 15:28	--------	d-----w-	c:\users\xxx\AppData\Roaming\Malwarebytes
2013-03-18 15:28 . 2013-03-18 15:28	--------	d-----w-	c:\programdata\Malwarebytes
2013-03-18 15:28 . 2013-03-18 15:28	--------	d-----w-	c:\program files (x86)\Malwarebytes' Anti-Malware
2013-03-18 15:28 . 2012-12-14 15:49	24176	----a-w-	c:\windows\system32\drivers\mbam.sys
2013-03-18 15:28 . 2013-03-18 15:28	--------	d-----w-	c:\users\xxx\AppData\Local\Programs
2013-03-18 15:20 . 2010-09-06 14:17	4292096	----a-w-	c:\windows\SysWow64\redemption.dll
2013-03-18 15:20 . 2002-08-23 08:00	297472	----a-w-	c:\windows\SysWow64\midas.dll
2013-03-18 15:20 . 2013-03-18 15:20	--------	d-----w-	c:\program files (x86)\Common Files\deltra Software GmbH
2013-03-18 15:19 . 2012-12-03 09:56	4400752	----a-w-	c:\windows\system32\RwEasyMAPI64.exe
2013-03-18 15:19 . 2002-08-23 08:00	4082688	----a-w-	c:\windows\SysWow64\qtintf70.dll
2013-03-18 15:19 . 2013-03-18 15:23	--------	d-----w-	C:\orgaMAX
2013-03-18 11:36 . 2013-03-06 23:33	377920	----a-w-	c:\windows\system32\drivers\aswSP.sys
2013-03-18 11:36 . 2013-03-06 23:33	33400	----a-w-	c:\windows\system32\drivers\aswFsBlk.sys
2013-03-18 11:36 . 2013-03-06 23:33	70992	----a-w-	c:\windows\system32\drivers\aswRdr2.sys
2013-03-18 11:36 . 2013-03-06 23:33	68920	----a-w-	c:\windows\system32\drivers\aswTdi.sys
2013-03-18 11:36 . 2013-03-06 23:33	65336	----a-w-	c:\windows\system32\drivers\aswRvrt.sys
2013-03-18 11:36 . 2013-03-06 23:33	178624	----a-w-	c:\windows\system32\drivers\aswVmm.sys
2013-03-18 11:36 . 2013-03-06 23:33	1025808	----a-w-	c:\windows\system32\drivers\aswSnx.sys
2013-03-18 11:36 . 2013-03-06 23:33	80816	----a-w-	c:\windows\system32\drivers\aswMonFlt.sys
2013-03-18 11:36 . 2013-03-06 23:32	287840	----a-w-	c:\windows\system32\aswBoot.exe
2013-03-18 11:36 . 2013-03-06 23:32	41664	----a-w-	c:\windows\avastSS.scr
2013-03-18 11:35 . 2013-03-18 11:35	--------	d-----w-	c:\program files\AVAST Software
2013-03-18 11:30 . 2013-03-18 11:35	--------	d-----w-	c:\programdata\AVAST Software
2013-03-18 11:22 . 2013-03-18 11:22	--------	d-----w-	c:\users\xxx\AppData\Roaming\QuickScan
2013-03-15 14:06 . 2013-02-19 02:57	9162192	----a-w-	c:\programdata\Microsoft\Windows Defender\Definition Updates\{D0A6636B-1650-4D67-BF7A-5F27C708C7E1}\mpengine.dll
2013-03-06 11:12 . 2013-03-08 20:03	--------	d-----w-	c:\users\xxx\AppData\Roaming\TS3Client
2013-03-06 11:12 . 2013-03-06 11:12	--------	d-----w-	c:\program files (x86)\TeamSpeak 3 Client
.
.
.
((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-03-14 01:50 . 2011-03-14 14:08	72013344	----a-w-	c:\windows\system32\MRT.exe
2013-03-12 19:07 . 2012-11-05 06:12	693976	----a-w-	c:\windows\SysWow64\FlashPlayerApp.exe
2013-03-12 19:07 . 2011-08-22 17:09	73432	----a-w-	c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-02-12 05:45 . 2013-03-13 20:49	135168	----a-w-	c:\windows\apppatch\AppPatch64\AcXtrnal.dll
2013-02-12 05:45 . 2013-03-13 20:49	308736	----a-w-	c:\windows\apppatch\AppPatch64\AcGenral.dll
2013-02-12 05:45 . 2013-03-13 20:49	350208	----a-w-	c:\windows\apppatch\AppPatch64\AcLayers.dll
2013-02-12 05:45 . 2013-03-13 20:49	111104	----a-w-	c:\windows\apppatch\AppPatch64\acspecfc.dll
2013-02-12 04:48 . 2013-03-13 20:49	474112	----a-w-	c:\windows\apppatch\AcSpecfc.dll
2013-02-12 04:48 . 2013-03-13 20:49	2176512	----a-w-	c:\windows\apppatch\AcGenral.dll
2013-01-17 00:28 . 2010-11-21 03:27	273840	------w-	c:\windows\system32\MpSigStub.exe
2013-01-05 05:53 . 2013-02-13 19:14	5553512	----a-w-	c:\windows\system32\ntoskrnl.exe
2013-01-05 05:00 . 2013-02-13 19:14	3967848	----a-w-	c:\windows\SysWow64\ntkrnlpa.exe
2013-01-05 05:00 . 2013-02-13 19:14	3913064	----a-w-	c:\windows\SysWow64\ntoskrnl.exe
2013-01-04 05:46 . 2013-02-13 19:13	215040	----a-w-	c:\windows\system32\winsrv.dll
2013-01-04 04:51 . 2013-02-13 19:13	5120	----a-w-	c:\windows\SysWow64\wow32.dll
2013-01-04 04:43 . 2013-02-13 19:13	44032	----a-w-	c:\windows\apppatch\acwow64.dll
2013-01-04 03:26 . 2013-02-13 19:13	3153408	----a-w-	c:\windows\system32\win32k.sys
2013-01-04 02:47 . 2013-02-13 19:13	25600	----a-w-	c:\windows\SysWow64\setup16.exe
2013-01-04 02:47 . 2013-02-13 19:13	7680	----a-w-	c:\windows\SysWow64\instnm.exe
2013-01-04 02:47 . 2013-02-13 19:13	2048	----a-w-	c:\windows\SysWow64\user.exe
2013-01-04 02:47 . 2013-02-13 19:13	14336	----a-w-	c:\windows\SysWow64\ntvdm64.dll
2013-01-03 06:00 . 2013-02-13 19:13	1913192	----a-w-	c:\windows\system32\drivers\tcpip.sys
2013-01-03 06:00 . 2013-02-13 19:13	288088	----a-w-	c:\windows\system32\drivers\FWPKCLNT.SYS
.
.
((((((((((((((((((((((((((((   Autostartpunkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-21 1475584]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2012-10-28 39408]
"Pando Media Booster"="c:\program files (x86)\Pando Networks\Media Booster\PMB.exe" [2012-11-16 3093624]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"IAStorIcon"="c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe" [2011-05-20 284440]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-10-14 343168]
"CLMLServer"="c:\program files (x86)\CyberLink\Power2Go\CLMLSvc.exe" [2010-08-03 107816]
"AVP"="c:\program files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\avp.exe" [2012-10-30 206448]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2013-03-06 4767304]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
watchmi tray.lnk - c:\windows\Installer\{409DC300-28AF-468F-9624-1F3309701881}\SHCT_TRAY_PROGRAMG_A10D8603999C4E9488776EF2533C58C9.exe [2012-10-28 300928]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 aswVmm;aswVmm; [x]
R3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8192su.sys [2010-11-25 694888]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
R3 wsvd;wsvd;c:\windows\system32\DRIVERS\wsvd.sys [2010-09-23 129008]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
S0 aswRvrt;aswRvrt; [x]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S1 kl2;kl2;c:\windows\system32\DRIVERS\kl2.sys [2011-03-04 11864]
S1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\DRIVERS\klim6.sys [2011-03-10 29488]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-10-13 204288]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2013-03-06 80816]
S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-05-20 13592]
S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2012-12-14 398184]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-12-14 682344]
S2 MemeoBackgroundService;MemeoBackgroundService;c:\program files (x86)\Memeo\AutoBackup\MemeoBackgroundService.exe [2011-09-28 25824]
S2 orgaMAXMobileService;orgaMAX Mobil Service;c:\orgamax\orgamaxmobil_service.exe s [x]
S2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2011-03-11 2656280]
S2 watchmi;watchmi service;c:\program files (x86)\watchmi\TvdService.exe [2011-10-07 70144]
S3 asmthub3;ASMedia USB3 Hub Service;c:\windows\system32\drivers\asmthub3.sys [2011-08-02 129000]
S3 asmtxhci;ASMEDIA XHCI Service;c:\windows\system32\drivers\asmtxhci.sys [2011-08-02 391144]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [2011-10-18 93712]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\DRIVERS\klmouflt.sys [2009-11-02 22544]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-12-14 24176]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2011-06-10 539240]
.
.
--- Andere Dienste/Treiber im Speicher ---
.
*NewlyCreated* - ASWRVRT
*NewlyCreated* - ASWSNX
.
Inhalt des "geplante Tasks" Ordners
.
2013-03-18 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-11-05 19:07]
.
2013-03-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-10-28 11:34]
.
2013-03-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-10-28 11:34]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2013-03-06 23:32	133840	----a-w-	c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
2013-03-07 15:31	776144	----a-w-	c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]
2013-03-07 15:31	776144	----a-w-	c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
2013-03-07 15:31	776144	----a-w-	c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
2013-03-07 15:31	776144	----a-w-	c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-08-16 12673128]
"MedionReminder"="c:\program files (x86)\CyberLink\PowerRecover\Reminder.exe" [2011-05-25 443688]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"MedionReminder"="c:\program files (x86)\CyberLink\PowerRecover\Reminder.exe" [2011-05-25 443688]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - LocalService
FontCache
.
------- Zusätzlicher Suchlauf -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=MDNF&bmod=MDNF
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: Hinzufügen zu Anti-Banner - c:\program files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\ie_banner_deny.htm
IE: {{0B65DCC9-1740-43dc-B19C-4F309FB6A6CA} - hxxp://rover.ebay.com/rover/1/707-37276-17534-31/4
TCP: DhcpNameServer = 192.168.1.1
.
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ChromeHTML"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ChromeHTML"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ChromeHTML"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ChromeHTML"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ChromeHTML"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_6_602_180.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Zeit der Fertigstellung: 2013-03-18  23:40:16
ComboFix-quarantined-files.txt  2013-03-18 22:40
.
Vor Suchlauf: 8 Verzeichnis(se), 1.381.893.234.688 Bytes frei
Nach Suchlauf: 11 Verzeichnis(se), 1.381.927.124.992 Bytes frei
.
- - End Of File - - 959C26EF920E500B8D4A51AD4BE47F83

--- --- ---

OTL Logfile:

Code:

ATTFilter

OTL logfile created on: 18.03.2013 23:47:20 - Run 2
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Users\xxx\Desktop
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
3,98 Gb Total Physical Memory | 2,07 Gb Available Physical Memory | 52,04% Memory free
7,96 Gb Paging File | 5,67 Gb Available in Paging File | 71,23% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 1346,17 Gb Total Space | 1287,10 Gb Free Space | 95,61% Space Free | Partition Type: NTFS
Drive D: | 50,00 Gb Total Space | 30,31 Gb Free Space | 60,63% Space Free | Partition Type: NTFS
 
Computer Name: xxx | User Name: xxx | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - C:\Users\xxx\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_6_602_180_ActiveX.exe (Adobe Systems Incorporated)
PRC - C:\Program Files\AVAST Software\Avast\AvastUI.exe (AVAST Software)
PRC - C:\Program Files\AVAST Software\Avast\AvastSvc.exe (AVAST Software)
PRC - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe (Google Inc.)
PRC - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
PRC - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
PRC - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe (Malwarebytes Corporation)
PRC - C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe ()
PRC - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\avp.exe (Kaspersky Lab ZAO)
PRC - C:\orgaMAX\orgamaxmobil_service.exe (deltra Business Software GmbH & Co. KG)
PRC - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
PRC - C:\Program Files (x86)\CyberLink\PowerRecover\Reminder.exe (CyberLink)
PRC - C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe (Intel Corporation)
PRC - C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe (Intel Corporation)
PRC - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe (Intel Corporation)
PRC - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe (Intel Corporation)
PRC - C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe (CyberLink)
 
 
========== Modules (No Company Name) ==========
 
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web\5ecf01964c70e453d71e5d7653912ff9\System.Web.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\cb562e2e4f74ae607f1186f6ec50cec7\System.Windows.Forms.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\IAStorUtil\346a7a67978cead8e2ff52c6d80bbeb7\IAStorUtil.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\IAStorCommon\500a8ae2a5d27132d87ccac9f97b0069\IAStorCommon.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\90b89f6e8032310e9ac72a309fd49e83\System.Runtime.Remoting.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\eead6629e384a5b69f9ae35284b7eeed\System.Drawing.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\cf827fe7bc99d9bcf0ba3621054ef527\WindowsBase.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\f687c43e9fdec031988b33ae722c4613\System.Xml.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System\369f8bdca364e2b4936d18dea582912c\System.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\195a77fcc6206f8bb35d419ff2cf0d72\System.Configuration.ni.dll ()
MOD - C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\7150b9136fad5b79e88f6c7f9d3d2c39\mscorlib.ni.dll ()
MOD - C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe ()
MOD - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\QtGui4.dll ()
MOD - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\QtSql4.dll ()
MOD - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\QtScript4.dll ()
MOD - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\QtNetwork4.dll ()
MOD - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\QtCore4.dll ()
MOD - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\QtDeclarative4.dll ()
MOD - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\imageformats\qgif4.dll ()
MOD - C:\Windows\assembly\GAC_MSIL\System.Runtime.Remoting.resources\2.0.0.0_de_b77a5c561934e089\System.Runtime.Remoting.resources.dll ()
MOD - C:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_de_b77a5c561934e089\mscorlib.resources.dll ()
MOD - C:\Program Files (x86)\CyberLink\Power2Go\CLMediaLibrary.dll ()
MOD - C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvcPS.dll ()
 
 
========== Services (SafeList) ==========
 
SRV:64bit: - (avast! Antivirus) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe (AVAST Software)
SRV:64bit: - (AMD External Events Utility) -- C:\Windows\SysNative\atiesrxx.exe (AMD)
SRV:64bit: - (wlcrasvc) -- C:\Program Files\Windows Live\Mesh\wlcrasvc.exe (Microsoft Corporation)
SRV:64bit: - (WinDefend) -- C:\Program Files\Windows Defender\mpsvc.dll (Microsoft Corporation)
SRV - (AdobeFlashPlayerUpdateSvc) -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated)
SRV - (MBAMService) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe (Malwarebytes Corporation)
SRV - (MBAMScheduler) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe (Malwarebytes Corporation)
SRV - (AVP) -- C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\avp.exe (Kaspersky Lab ZAO)
SRV - (orgaMAXMobileService) -- C:\orgaMAX\orgamaxmobil_service.exe (deltra Business Software GmbH & Co. KG)
SRV - (AdobeARMservice) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
SRV - (watchmi) -- C:\Program Files (x86)\watchmi\TvdService.exe ()
SRV - (MemeoBackgroundService) -- C:\Program Files (x86)\Memeo\AutoBackup\MemeoBackgroundService.exe (Memeo)
SRV - (IAStorDataMgrSvc) -- C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe (Intel Corporation)
SRV - (UNS) -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe (Intel Corporation)
SRV - (LMS) -- C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe (Intel Corporation)
SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation)
SRV - (clr_optimization_v2.0.50727_32) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
 
 
========== Driver Services (SafeList) ==========
 
DRV:64bit: - (aswSnx) -- C:\Windows\SysNative\drivers\aswSnx.sys (AVAST Software)
DRV:64bit: - (aswSP) -- C:\Windows\SysNative\drivers\aswSP.sys (AVAST Software)
DRV:64bit: - (aswVmm) -- C:\Windows\SysNative\drivers\aswVmm.sys ()
DRV:64bit: - (aswRdr) -- C:\Windows\SysNative\drivers\aswRdr2.sys (AVAST Software)
DRV:64bit: - (aswTdi) -- C:\Windows\SysNative\drivers\aswTdi.sys (AVAST Software)
DRV:64bit: - (aswRvrt) -- C:\Windows\SysNative\drivers\aswRvrt.sys ()
DRV:64bit: - (aswMonFlt) -- C:\Windows\SysNative\drivers\aswMonFlt.sys (AVAST Software)
DRV:64bit: - (aswFsBlk) -- C:\Windows\SysNative\drivers\aswFsBlk.sys (AVAST Software)
DRV:64bit: - (MBAMProtector) -- C:\Windows\SysNative\drivers\mbam.sys (Malwarebytes Corporation)
DRV:64bit: - (KLIF) -- C:\Windows\SysNative\drivers\klif.sys (Kaspersky Lab)
DRV:64bit: - (Fs_Rec) -- C:\Windows\SysNative\drivers\fs_rec.sys (Microsoft Corporation)
DRV:64bit: - (AtiHDAudioService) -- C:\Windows\SysNative\drivers\AtihdW76.sys (Advanced Micro Devices)
DRV:64bit: - (amdkmdag) -- C:\Windows\SysNative\drivers\atikmdag.sys (ATI Technologies Inc.)
DRV:64bit: - (amdkmdap) -- C:\Windows\SysNative\drivers\atikmpag.sys (Advanced Micro Devices, Inc.)
DRV:64bit: - (asmtxhci) -- C:\Windows\SysNative\drivers\asmtxhci.sys (ASMedia Technology Inc)
DRV:64bit: - (asmthub3) -- C:\Windows\SysNative\drivers\asmthub3.sys (ASMedia Technology Inc)
DRV:64bit: - (RTL8167) -- C:\Windows\SysNative\drivers\Rt64win7.sys (Realtek                                            )
DRV:64bit: - (iaStor) -- C:\Windows\SysNative\drivers\iaStor.sys (Intel Corporation)
DRV:64bit: - (MEIx64) -- C:\Windows\SysNative\drivers\HECIx64.sys (Intel Corporation)
DRV:64bit: - (amdsata) -- C:\Windows\SysNative\drivers\amdsata.sys (Advanced Micro Devices)
DRV:64bit: - (amdxata) -- C:\Windows\SysNative\drivers\amdxata.sys (Advanced Micro Devices)
DRV:64bit: - (KLIM6) -- C:\Windows\SysNative\drivers\klim6.sys (Kaspersky Lab ZAO)
DRV:64bit: - (kl2) -- C:\Windows\SysNative\drivers\kl2.sys (Kaspersky Lab ZAO)
DRV:64bit: - (KL1) -- C:\Windows\SysNative\drivers\kl1.sys (Kaspersky Lab ZAO)
DRV:64bit: - (RTL8192su) -- C:\Windows\SysNative\drivers\RTL8192su.sys (Realtek Semiconductor Corporation                           )
DRV:64bit: - (TsUsbFlt) -- C:\Windows\SysNative\drivers\TsUsbFlt.sys (Microsoft Corporation)
DRV:64bit: - (HpSAMD) -- C:\Windows\SysNative\drivers\HpSAMD.sys (Hewlett-Packard Company)
DRV:64bit: - (TsUsbGD) -- C:\Windows\SysNative\drivers\TsUsbGD.sys (Microsoft Corporation)
DRV:64bit: - (wsvd) -- C:\Windows\SysNative\drivers\wsvd.sys (CyberLink)
DRV:64bit: - (klmouflt) -- C:\Windows\SysNative\drivers\klmouflt.sys (Kaspersky Lab)
DRV:64bit: - (amdsbs) -- C:\Windows\SysNative\drivers\amdsbs.sys (AMD Technologies Inc.)
DRV:64bit: - (LSI_SAS2) -- C:\Windows\SysNative\drivers\lsi_sas2.sys (LSI Corporation)
DRV:64bit: - (stexstor) -- C:\Windows\SysNative\drivers\stexstor.sys (Promise Technology)
DRV:64bit: - (igfx) -- C:\Windows\SysNative\drivers\igdkmd64.sys (Intel Corporation)
DRV:64bit: - (ebdrv) -- C:\Windows\SysNative\drivers\evbda.sys (Broadcom Corporation)
DRV:64bit: - (b06bdrv) -- C:\Windows\SysNative\drivers\bxvbda.sys (Broadcom Corporation)
DRV:64bit: - (b57nd60a) -- C:\Windows\SysNative\drivers\b57nd60a.sys (Broadcom Corporation)
DRV:64bit: - (hcw85cir) -- C:\Windows\SysNative\drivers\hcw85cir.sys (Hauppauge Computer Works, Inc.)
DRV - (WIMMount) -- C:\Windows\SysWOW64\drivers\wimmount.sys (Microsoft Corporation)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE:64bit: - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
 
 
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
 
 
IE - HKU\S-1-5-21-3885901794-1574605852-3563904086-1000\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-3885901794-1574605852-3563904086-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.com/ig/redirectdomain?brand=MDNF&bmod=MDNF
IE - HKU\S-1-5-21-3885901794-1574605852-3563904086-1000\..\SearchScopes,DefaultScope = {F3E7F170-AEA9-44AE-9FB3-3F3E1DDD8067}
IE - HKU\S-1-5-21-3885901794-1574605852-3563904086-1000\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
IE - HKU\S-1-5-21-3885901794-1574605852-3563904086-1000\..\SearchScopes\{F3E7F170-AEA9-44AE-9FB3-3F3E1DDD8067}: "URL" = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7MDNF_deDE507
IE - HKU\S-1-5-21-3885901794-1574605852-3563904086-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
 
========== FireFox ==========
 
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3538.0513: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\linkfilter@kaspersky.ru: C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\FFExt\linkfilter@kaspersky.ru [2012.10.30 19:27:51 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\virtualKeyboard@kaspersky.ru: C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\FFExt\virtualKeyboard@kaspersky.ru [2012.10.30 19:27:51 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\KavAntiBanner@Kaspersky.ru: C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\FFExt\KavAntiBanner@Kaspersky.ru [2012.10.30 19:27:50 | 000,000,000 | ---D | M]
 
 
O1 HOSTS File: ([2009.06.10 22:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O2:64bit: - BHO: (avast! WebRep) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)
O2:64bit: - BHO: (IEVkbdBHO Class) - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\x64\ievkbd.dll (Kaspersky Lab ZAO)
O2:64bit: - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O2:64bit: - BHO: (FilterBHO Class) - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\x64\klwtbbho.dll (Kaspersky Lab ZAO)
O2 - BHO: (IEVkbdBHO Class) - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\ievkbd.dll (Kaspersky Lab ZAO)
O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O2 - BHO: (FilterBHO Class) - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\klwtbbho.dll (Kaspersky Lab ZAO)
O3:64bit: - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O3:64bit: - HKLM\..\Toolbar: (avast! WebRep) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)
O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O3:64bit: - HKU\S-1-5-21-3885901794-1574605852-3563904086-1000\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O4:64bit: - HKLM..\Run: [MedionReminder] C:\Program Files (x86)\CyberLink\PowerRecover\Reminder.exe (CyberLink)
O4:64bit: - HKLM..\Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [AVP] C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\avp.exe (Kaspersky Lab ZAO)
O4 - HKLM..\Run: [CLMLServer] C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe (CyberLink)
O4 - HKLM..\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe (Intel Corporation)
O4 - HKLM..\Run: [StartCCC] C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKU\S-1-5-21-3885901794-1574605852-3563904086-1000..\Run: [Pando Media Booster] C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe ()
O4:64bit: - HKLM..\RunOnce: [MedionReminder] C:\Program Files (x86)\CyberLink\PowerRecover\Reminder.exe (CyberLink)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3885901794-1574605852-3563904086-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3885901794-1574605852-3563904086-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8:64bit: - Extra context menu item: Hinzufügen zu Anti-Banner - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\ie_banner_deny.htm ()
O8 - Extra context menu item: Hinzufügen zu Anti-Banner - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\ie_banner_deny.htm ()
O9:64bit: - Extra Button: eBay - Der weltweite Online-Marktplatz - {0B65DCC9-1740-43dc-B19C-4F309FB6A6CA} - hxxp://rover.ebay.com/rover/1/707-37276-17534-31/4 File not found
O9:64bit: - Extra 'Tools' menuitem : eBay - {0B65DCC9-1740-43dc-B19C-4F309FB6A6CA} - hxxp://rover.ebay.com/rover/1/707-37276-17534-31/4 File not found
O9:64bit: - Extra Button: &Virtuelle Tastatur - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\x64\ievkbd.dll (Kaspersky Lab ZAO)
O9:64bit: - Extra Button: Li&nks untersuchen - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\x64\klwtbbho.dll (Kaspersky Lab ZAO)
O9 - Extra Button: eBay - Der weltweite Online-Marktplatz - {0B65DCC9-1740-43dc-B19C-4F309FB6A6CA} - hxxp://rover.ebay.com/rover/1/707-37276-17534-31/4 File not found
O9 - Extra 'Tools' menuitem : eBay - {0B65DCC9-1740-43dc-B19C-4F309FB6A6CA} - hxxp://rover.ebay.com/rover/1/707-37276-17534-31/4 File not found
O9 - Extra Button: &Virtuelle Tastatur - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\ievkbd.dll (Kaspersky Lab ZAO)
O9 - Extra Button: Li&nks untersuchen - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\klwtbbho.dll (Kaspersky Lab ZAO)
O13 - gopher Prefix: missing
O16 - DPF: {4B54A9DE-EF1C-4EBE-A328-7C28EA3B433A} hxxp://quickscan.bitdefender.com/qsax/qsax.cab (Bitdefender QuickScan Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{30924113-C70C-4A09-92FC-A1E12B183665}: DhcpNameServer = 192.168.1.1
O18:64bit: - Protocol\Handler\livecall - No CLSID value found
O18:64bit: - Protocol\Handler\msnim - No CLSID value found
O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found
O18:64bit: - Protocol\Handler\wlpg - No CLSID value found
O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
O20:64bit: - Winlogon\Notify\klogon: DllName - (%SystemRoot%\System32\klogon.dll) - C:\Windows\SysNative\klogon.dll (Kaspersky Lab ZAO)
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)
 
========== Files/Folders - Created Within 30 Days ==========
 
[2013.03.18 23:44:15 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2013.03.18 23:34:08 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2013.03.18 23:34:08 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2013.03.18 23:34:08 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2013.03.18 23:34:00 | 000,000,000 | ---D | C] -- C:\Qoobox
[2013.03.18 23:33:50 | 000,000,000 | ---D | C] -- C:\Windows\erdnt
[2013.03.18 23:30:00 | 005,041,875 | R--- | C] (Swearware) -- C:\Users\deTenner\Desktop\ComboFix.exe
[2013.03.18 22:28:34 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\deTenner\Desktop\OTL.exe
[2013.03.18 16:28:39 | 000,000,000 | ---D | C] -- C:\Users\deTenner\AppData\Roaming\Malwarebytes
[2013.03.18 16:28:36 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2013.03.18 16:28:35 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2013.03.18 16:28:34 | 000,024,176 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2013.03.18 16:28:34 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2013.03.18 16:28:09 | 000,000,000 | ---D | C] -- C:\Users\deTenner\AppData\Local\Programs
[2013.03.18 16:20:42 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\orgaMAX Business Software
[2013.03.18 16:20:41 | 004,292,096 | ---- | C] (dimastr.com) -- C:\Windows\SysWow64\redemption.dll
[2013.03.18 16:20:39 | 000,297,472 | ---- | C] (Borland Software Corporation) -- C:\Windows\SysWow64\midas.dll
[2013.03.18 16:20:00 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\deltra Software GmbH
[2013.03.18 16:19:56 | 004,400,752 | ---- | C] (RAPWare) -- C:\Windows\SysNative\RwEasyMAPI64.exe
[2013.03.18 16:19:55 | 004,082,688 | ---- | C] (Borland Software Corporation) -- C:\Windows\SysWow64\qtintf70.dll
[2013.03.18 16:19:54 | 000,000,000 | ---D | C] -- C:\orgaMAX
[2013.03.18 12:38:26 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Drive
[2013.03.18 12:36:27 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\avast! Free Antivirus
[2013.03.18 12:36:26 | 000,377,920 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswSP.sys
[2013.03.18 12:36:26 | 000,033,400 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswFsBlk.sys
[2013.03.18 12:36:23 | 001,025,808 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswSnx.sys
[2013.03.18 12:36:23 | 000,287,840 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\aswBoot.exe
[2013.03.18 12:36:23 | 000,080,816 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswMonFlt.sys
[2013.03.18 12:36:23 | 000,070,992 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswRdr2.sys
[2013.03.18 12:36:23 | 000,068,920 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswTdi.sys
[2013.03.18 12:36:03 | 000,041,664 | ---- | C] (AVAST Software) -- C:\Windows\avastSS.scr
[2013.03.18 12:35:53 | 000,000,000 | ---D | C] -- C:\Program Files\AVAST Software
[2013.03.18 12:30:27 | 000,000,000 | ---D | C] -- C:\ProgramData\AVAST Software
[2013.03.18 12:22:10 | 000,000,000 | ---D | C] -- C:\Users\deTenner\AppData\Roaming\QuickScan
[2013.03.07 18:37:55 | 000,000,000 | ---D | C] -- C:\Users\deTenner\AppData\Local\{E0AC1B78-6D4C-4E45-BBAA-75D2A37B90F2}
[2013.03.06 22:07:51 | 000,000,000 | ---D | C] -- C:\Users\deTenner\AppData\Local\{73E16C01-BA3A-42AF-B851-D17B044F7FAC}
[2013.03.06 14:19:56 | 000,000,000 | ---D | C] -- C:\Users\deTenner\Documents\NavyField
[2013.03.06 12:12:24 | 000,000,000 | ---D | C] -- C:\Users\deTenner\AppData\Roaming\TS3Client
[2013.03.06 12:12:15 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamSpeak 3 Client
[2013.03.06 12:12:14 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\TeamSpeak 3 Client
[2013.02.28 06:21:35 | 000,000,000 | ---D | C] -- C:\Users\xxx\AppData\Local\{2021B29B-F629-45C6-97B1-D986F6D22CC8}
[2013.02.24 14:18:40 | 000,000,000 | ---D | C] -- C:\Users\xxx\AppData\Local\{8FBC6EAA-4236-4C81-A446-A9014C96BC00}
[2013.02.23 19:23:11 | 000,000,000 | ---D | C] -- C:\Users\xxx\AppData\Local\{D8C77060-3BB6-422F-87D8-7C48028A5AD1}
[2013.02.23 19:17:57 | 000,000,000 | ---D | C] -- C:\Users\xxx\AppData\Local\{9601227F-128C-4024-AF81-216AADF36C66}
[2013.02.23 14:35:23 | 000,000,000 | ---D | C] -- C:\Users\xxx\AppData\Local\{FCC6F977-2511-497E-9223-5878583D9AEE}
[2013.02.23 14:25:55 | 000,000,000 | ---D | C] -- C:\Users\xxx\AppData\Local\{FC396C05-8809-43CE-B137-12296C2425ED}
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
 
========== Files - Modified Within 30 Days ==========
 
[2013.03.18 23:51:00 | 000,001,110 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2013.03.18 23:43:37 | 000,001,106 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2013.03.18 23:43:04 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2013.03.18 23:42:59 | 3206,787,072 | -HS- | M] () -- C:\hiberfil.sys
[2013.03.18 23:30:24 | 005,041,875 | R--- | M] (Swearware) -- C:\Users\xxx\Desktop\ComboFix.exe
[2013.03.18 23:07:00 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2013.03.18 22:28:37 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\xxx\Desktop\OTL.exe
[2013.03.18 21:51:26 | 000,016,752 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2013.03.18 21:51:26 | 000,016,752 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2013.03.18 18:53:01 | 000,377,856 | ---- | M] () -- C:\Users\xxx\Desktop\83n5yfzz.exe
[2013.03.18 18:19:25 | 000,000,000 | ---- | M] () -- C:\Users\xxx\defogger_reenable
[2013.03.18 18:18:09 | 000,050,477 | ---- | M] () -- C:\Users\xxx\Desktop\Defogger.exe
[2013.03.18 16:28:36 | 000,001,117 | ---- | M] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
[2013.03.18 16:20:42 | 000,001,530 | ---- | M] () -- C:\Users\xxx\Desktop\orgaMAX starten....lnk
[2013.03.18 12:36:27 | 000,001,926 | ---- | M] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk
[2013.03.18 12:36:23 | 000,000,000 | ---- | M] () -- C:\Windows\SysWow64\config.nt
[2013.03.07 00:33:21 | 001,025,808 | ---- | M] (AVAST Software) -- C:\Windows\SysNative\drivers\aswSnx.sys
[2013.03.07 00:33:21 | 000,377,920 | ---- | M] (AVAST Software) -- C:\Windows\SysNative\drivers\aswSP.sys
[2013.03.07 00:33:21 | 000,178,624 | ---- | M] () -- C:\Windows\SysNative\drivers\aswVmm.sys
[2013.03.07 00:33:21 | 000,070,992 | ---- | M] (AVAST Software) -- C:\Windows\SysNative\drivers\aswRdr2.sys
[2013.03.07 00:33:21 | 000,068,920 | ---- | M] (AVAST Software) -- C:\Windows\SysNative\drivers\aswTdi.sys
[2013.03.07 00:33:21 | 000,065,336 | ---- | M] () -- C:\Windows\SysNative\drivers\aswRvrt.sys
[2013.03.07 00:33:20 | 000,080,816 | ---- | M] (AVAST Software) -- C:\Windows\SysNative\drivers\aswMonFlt.sys
[2013.03.07 00:33:20 | 000,033,400 | ---- | M] (AVAST Software) -- C:\Windows\SysNative\drivers\aswFsBlk.sys
[2013.03.07 00:32:51 | 000,041,664 | ---- | M] (AVAST Software) -- C:\Windows\avastSS.scr
[2013.03.07 00:32:22 | 000,287,840 | ---- | M] (AVAST Software) -- C:\Windows\SysNative\aswBoot.exe
[2013.03.06 12:12:15 | 000,001,170 | ---- | M] () -- C:\Users\Public\Desktop\TeamSpeak 3 Client.lnk
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
 
========== Files Created - No Company Name ==========
 
[2013.03.18 23:34:08 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2013.03.18 23:34:08 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2013.03.18 23:34:08 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2013.03.18 23:34:08 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2013.03.18 23:34:08 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2013.03.18 18:53:00 | 000,377,856 | ---- | C] () -- C:\Users\xxx\Desktop\83n5yfzz.exe
[2013.03.18 18:19:25 | 000,000,000 | ---- | C] () -- C:\Users\xxx\defogger_reenable
[2013.03.18 18:18:01 | 000,050,477 | ---- | C] () -- C:\Users\xxx\Desktop\Defogger.exe
[2013.03.18 16:28:36 | 000,001,117 | ---- | C] () -- C:\Users\Public\Desktop\ Malwarebytes Anti-Malware .lnk
[2013.03.18 16:20:42 | 000,001,530 | ---- | C] () -- C:\Users\xxx\Desktop\orgaMAX starten....lnk
[2013.03.18 12:36:27 | 000,001,926 | ---- | C] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk
[2013.03.18 12:36:23 | 000,178,624 | ---- | C] () -- C:\Windows\SysNative\drivers\aswVmm.sys
[2013.03.18 12:36:23 | 000,065,336 | ---- | C] () -- C:\Windows\SysNative\drivers\aswRvrt.sys
[2013.03.18 12:36:23 | 000,000,000 | ---- | C] () -- C:\Windows\SysWow64\config.nt
[2013.03.06 12:12:15 | 000,001,170 | ---- | C] () -- C:\Users\Public\Desktop\TeamSpeak 3 Client.lnk
[2011.11.23 19:20:22 | 000,204,952 | ---- | C] () -- C:\Windows\SysWow64\ativvsvl.dat
[2011.11.23 19:20:22 | 000,157,144 | ---- | C] () -- C:\Windows\SysWow64\ativvsva.dat
[2011.11.23 19:20:21 | 000,003,917 | ---- | C] () -- C:\Windows\SysWow64\atipblag.dat
[2011.10.14 01:53:18 | 000,056,832 | ---- | C] () -- C:\Windows\SysWow64\OpenVideo.dll
[2011.10.14 01:53:02 | 000,056,832 | ---- | C] () -- C:\Windows\SysWow64\OVDecoder.dll
[2011.08.22 17:19:31 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2011.07.08 07:37:28 | 000,053,760 | ---- | C] () -- C:\Windows\SysWow64\OVDecode.dll
 
========== ZeroAccess Check ==========
 
[2009.07.14 05:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
 
[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64
 
[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
"" = C:\Windows\SysNative\shell32.dll -- [2012.06.09 06:43:10 | 014,172,672 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012.06.09 05:41:00 | 012,873,728 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009.07.14 02:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2010.11.21 04:24:25 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009.07.14 02:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
 
========== LOP Check ==========
 
[2013.03.18 12:22:10 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\QuickScan
[2013.03.08 21:03:30 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\TS3Client
[2012.10.28 13:49:18 | 000,000,000 | ---D | M] -- C:\Users\xxx\AppData\Roaming\wargaming.net
 
========== Purity Check ==========
 
 

< End of report >

--- --- ---

aharonov · 19.03.2013, 00:09

Hi,

wie läuft der Rechner?

Hinweis: Mehrere AV-Hintergrundwächter

Mir ist aufgefallen, dass du mehr als ein Antivirus-Programm mit Hintergrundwächter laufen hast:

Kaspersky Internet Security 2012

avast! Free Antivirus

Das ist gefährlich, da sich die verschiedenen Hintergrundwächter gegenseitig in die Quere kommen können und dadurch in ihrer Summe nicht mehr sondern weniger Schutz bieten. Ausserdem bremst das auch das System aus.

Entscheide dich für eines dieser Programme und deinstalliere die anderen über Start -> Systemsteuerung -> Programme und Funktionen (Vista & Win 7) bzw. Start -> Systemsteuerung -> Software (Win XP).

Schritt 1

Starte bitte die OTL.exe.
Kopiere nun den folgenden Inhalt aus der Codebox in die Textbox.
Wichtig: Falls du deinen Benutzernamen im Log unkenntlich gemacht hast (z.B. durch ***), dann mach das hier wieder rückgängig.

Code:

ATTFilter

:commands
[emptytemp]

Schliesse nun bitte alle anderen Programme.
Klicke jetzt auf den Fix Button.
OTL kann gegebenfalls einen Neustart verlangen. Diesen bitte zulassen.
Nach dem Neustart findest du ein Textdokument auf deinem Desktop.
(Auch zu finden unter C:\_OTL\MovedFiles\<date_time>.log)
Kopiere nun dessen Inhalt hier in deinen Thread.

Schritt 2

Öffne das Programm Malwarebytes Anti-Malware.
Vista und Win7 User mit Rechtsklick "als Administrator starten".
Klicke auf Aktualisierung --> Suche nach Aktualisierung.
Wenn das Update beendet wurde, aktiviere im Reiter Suchlauf die Option Quick-Scan durchführen und drücke auf Scannen.
Wenn der Scan fertig ist, klicke auf Ergebnisse anzeigen.
Versichere dich, dass alle Funde markiert sind und drücke Entferne Auswahl.
Poste das Logfile, welches sich in Notepad öffnet, hier in den Thread.
Nachträglich kannst du den Bericht unter dem Reiter Logdateien finden.

Schritt 3

Lade das Setup des ESET Online Scanners herunter und speichere es auf den Desktop.

Schliesse evtl. vorhandene externe Festplatten und USB-Sticks an den Rechner an.
Deaktiviere jetzt temporär für diesen Scan dein Antivirenprogramm und die Firewall.
(Danach nicht vergessen, sie wieder einzuschalten.)
Starte nun die heruntergeladene esetsmartinstaller_enu.exe.
Setze den Haken bei Yes, I accept the Terms of Use und drücke Start.
Warte bis die Komponenten heruntergeladen sind.
Setze den Haken bei Scan archives.
Gehe sicher, dass bei Remove found Threats kein Haken gesetzt ist.
Drücke dann auf Start.
Die Signaturen werden heruntergeladen und der Scan startet automatisch.
Hinweis: Dieser Scan kann unter Umständen ziemlich lange dauern!
Falls nach Beendigung des Scans Funde angezeigt werden, dann:
- Drücke auf List of found threats.
- Klicke dann auf Export to text file... und speichere die Textdatei als ESET.txt auf den Desktop.
- Drücke danach auf << Back.
Schliesse nun den Scanner mit einem Klick auf Finish.

Poste bitte den Inhalt der ESET.txt oder teile mir mit, wenn es keine Funde gegeben hat.

Schritt 4

Downloade dir bitte SecurityCheck (Link 2).

Speichere es auf dem Desktop.
Starte SecurityCheck.exe und folge den Anweisungen in der DOS-Box.
Vista und Win7 User mit Rechtsklick "als Administrator starten"
Wenn der Scan beendet wurde, sollte sich ein Textdokument (checkup.txt) öffnen.

Poste den Inhalt bitte hier.

Bitte poste in deiner nächsten Antwort:

Fixlog von OTL
Log von MBAM
Log von ESET
Log von SecurityCheck

TomFinn · 19.03.2013, 00:45

hi,

Kaspersky hab ich runtergeschmissen da eh ausgelaufen, PC läuft aktuell stabil und schnell

hier der schritt 1.

All processes killed
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 57616 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: xxx
->Temp folder emptied: 14358632 bytes
->Temporary Internet Files folder emptied: 426913743 bytes
->Java cache emptied: 3142431 bytes
->Flash cache emptied: 73499 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1103463 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50434 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 425,00 mb

OTL by OldTimer - Version 3.2.69.0 log created on 03192013_002444

Files\Folders moved on Reboot...
C:\Users\xxx\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
File move failed. C:\Windows\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.
File\Folder C:\Windows\temp\fb_2780.lck not found!

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

nix gefunden :-)

schritt 2.

Malwarebytes Anti-Malware (Test) 1.70.0.1100
www.malwarebytes.org

Datenbank Version: v2013.03.18.15

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
deTenner :: xxx [Administrator]

Schutz: Aktiviert

19.03.2013 00:34:47
mbam-log-2013-03-19 (00-34-47).txt

Art des Suchlaufs: Quick-Scan
Aktivierte Suchlaufeinstellungen: Speicher | Autostart | Registrierung | Dateisystem | Heuristiks/Extra | HeuristiKs/Shuriken | PUP | PUM
Deaktivierte Suchlaufeinstellungen: P2P
Durchsuchte Objekte: 218001
Laufzeit: 1 Minute(n), 40 Sekunde(n)

Infizierte Speicherprozesse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel: 0
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung: 0
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse: 0
(Keine bösartigen Objekte gefunden)

Infizierte Dateien: 0
(Keine bösartigen Objekte gefunden)

(Ende)

Schritt 3.
Eset online scanner lässt sich nicht downloaden, IE will nicht. Firewall und Avast sind schon deaktiviert.

Gruss TomFinn

aharonov · 19.03.2013, 00:46

Zitat:

Eset online scanner lässt sich nicht downloaden, IE will nicht.

Kannst du dieses File von ESET auch mit einem anderem Browser nicht herunterladen?

TomFinn · 19.03.2013, 01:01

Google Chrome funzt, dauert aber wie ja schon beschrieben etwas

aharonov · 19.03.2013, 01:03

Zitat:

dauert aber wie ja schon beschrieben etwas

Jep, der ESET-Scan kann unter Umständen lange dauern.
Vielleicht einfach über Nacht laufen lassen..

18.03.2013, 18:48	#4
aharonov /// TB-Ausbilder	JS: pdfka-gen [Expl]" Bedrohung gefunden über Avast Hi, ich glaube, das was du meinst ist ein Screenshot des Programms, welcher auf dieser Website gezeigt wird.. Du musst untendran auf den Button Download EXE drücken, um das Programm herunterzuladen. __________________ cheers, Leo

18.03.2013, 22:10	#6
aharonov /// TB-Ausbilder	JS: pdfka-gen [Expl]" Bedrohung gefunden über Avast Hi, ja, schmeiss dieses Speed up runter und mach mit Schritt 3 weiter. __________________ --> JS: pdfka-gen [Expl]" Bedrohung gefunden über Avast

JS: pdfka-gen [Expl]" Bedrohung gefunden über Avast

Log-Analyse und Auswertung: JS: pdfka-gen [Expl]" Bedrohung gefunden über Avast